Re: [squid-users] kinda confused about Peek and Splice
On 18.09.2015 22:29, Alex Rousskov wrote: acl nobumpSites ssl::server_name "/etc/squid3/allowed_SSL_sites.txt" ssl_bump peek step1 ssl_bump splice step2 nobumpSites ssl_bump bump all I do not see the reason for the "step2" ACL in the above. Do you? it should be either "ssl_bump splice nobumpSites" or peek at step 2 and splice it at step 3, right? (depending on how deep we want to check) e.g: ssl_bump peek step1 all ssl_bump peek step2 nobumpSites ssl_bump splice step3 nobumpSites ssl_bump bump all So tell me what's the reason of peeking at step1 ? I suppose getting the real server_name based on SNI instead of reading it from CONNECT request? (remember: all browsers are proxy aware) Yes. Not all CONNECT requests have host names. ok. got it. I'm asking because when I change my configuration to this one: -- acl allowed_https_sites dstdomain "/etc/squid3/allowed_SSL_sites.txt" ssl_bump splice allowed_https_sites ssl_bump bump all -- It seems to work the same way. Have you tested both configurations using a CONNECT request with an IP address? Have you tested with a CONNECT request for a foo.example.com domain when that domain responds with a bar.example.com certificate? If not, your testing is not good enough to expose [at least two] differences between the two configurations. not yet , but I will :) and now I know what you mean. Is 'ssl::server_name' more reliable than 'dstdomain'? "reliable" is an undefined term in this context. ssl::server_name may use SNI (where available). Dstdomain does not know about SNI. There are other important documented differences as well: 1. peek everything at step 1 (to get reliable server name by SNI ???) 2. splicing exceptions ("whitelist") at step 2 3. stare all at step 2 (or just bump the rest at step 2) 4. bump all at step 3 It depends how you want to identify whitelisted sites. For example, if you want to validate the server certificate before splicing, then the above will not work. I got it! I was thinking all the time that action taken at step 1 and step 2 (peeking or staring) is common to all connections. That's why I considered peeking at step 2 as useless because if server_name will not match the whitelist (majority of webpages) it would be impossible to bump the connection. And that are separate rules!!! like this: ## peeking at first step is mostly/always good idea (to get the SNI) ssl_bump peek step1 all # we want to check deeply what we're gonna splice ssl_bump peek step2 nobumpSites ssl_bump splice step3 nobumpSites ### we're bumping the rest. Fake cert will be generated ### based on server's cert (that's why we want to bump at step 3) ssl_bump stare step2 all ssl_bump bump step3 all Does it make some sense? http://bugs.squid-cache.org/show_bug.cgi?id=4327 thanks a lot, it was very helpful!! BTW my Squid v: 3.5.8 probably generates fake-certs based on server certificate even at bump step 2 (instead of client's SNI) greetings Marek ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] kinda confused about Peek and Splice
Hi guys, I'm still confused about peek and stare. Correct me please if I'm wrong. 1. the only way to by absolutely sure what is transmitted over a SSL tunnel is bumping the connection - there is no other possibility. 2. some important websites shouldn't be bumped - like banking or payment systems. Such pages should be spliced by a whitelist at step 2? 3. some websites/services can't be bumped because of HPKP feature. So if we want to allow users to use such sites/services we must splice it at step 2 (like banking systems)? My policy is: bump everything except banking systems (and some other important domains): My config is like this: -- acl nobumpSites ssl::server_name "/etc/squid3/allowed_SSL_sites.txt" ssl_bump peek step1 ssl_bump splice step2 nobumpSites ssl_bump bump all -- So tell me what's the reason of peeking at step1 ? I suppose getting the real server_name based on SNI instead of reading it from CONNECT request? (remember: all browsers are proxy aware) I'm asking because when I change my configuration to this one: -- acl allowed_https_sites dstdomain "/etc/squid3/allowed_SSL_sites.txt" ssl_bump splice allowed_https_sites ssl_bump bump all -- It seems to work the same way. Is 'ssl::server_name' more reliable than 'dstdomain' ? So, despite that I'm still confused about peek & stare - for me it makes only sense in this order 1. peek everything at step 1 (to get reliable server name by SNI ???) 2. splicing exceptions ("whitelist") at step 2 3. stare all at step 2 (or just bump the rest at step 2) 4. bump all at step 3 does it make sense according to my policy assumptions? If yes, tell me what's the advantage of stare at step 2 - instead of bumping everything after splicing the exceptions? I truly apologize for so long email, but I wanted to put as much doubts as I can :) thanks a lot! Marek ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] kinda confused about Peek and Splice
Hello, I'm kinda confused about the "Peek and Splice" technique introduced in Squid 3.5.x. -- My goal is to allow CONNECT-method ONLY to certain web-pages (mainly banks, payment systems). The rest of https-sites should be allways bumped. - And this can be easily achieved even in squid 3.3 (I'm talking about situation where browser is totally aware of using proxy server -- not transparent mode). But when Squid allows CONNECT method - it allows any kind of TCP tunnel (e.g. OpenVPN over TCP or ssh tunnel). So, my real question is - if it's possible - using the new technique (Peek and Splice) to allow Splice method - but ONLY to real HTTPS Sites - not a ssh or VPN service? (I'm still talking about the situation where browsers are aware of proxying) I was thinking that it can be done by peeking in step 2 (peeing the server certificate) BUT there is a limitation: peeking at the server certificate usually precludes future bumping. So when we're peeking at step 2 we can only splice later (or terminate) - which is not what I wanted to achieve. If above is not possible, what is the main advantage of "Peek and Splice" comparing to old method (remember: browsers are aware of proxying). I can see advantage in transparent mode - obtaining domain name by SNI. But in "normal mode" squid knows the domain-name because of the connect request? And knowing the domain-name we can decide what to do. thx for any hints or explanation! HELION SA, 44-100 Gliwice, ul. Kościuszki 1C Numer KRS 121256 Sąd Rejonowy w Gliwicach, X Wydział Gospodarczy Krajowego Rejestru Sądowego. NIP 631-020-02-68, REGON: 271070648 Kapitał zakładowy: 500100 zł w całości wpłacony ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users