subject:"\[squid\-users\] Adding an extra header to TLS connection"

Re: [squid-users] Adding an extra header to TLS connection

2024-05-23 Thread Alex Rousskov


On 2024-05-23 13:06, Robin Wood wrote:
I've tried searching for Squid and sslbump and not found anything useful 
that works with the current version, that is why I'm asking here, I was 
hoping someone could point me at an example that would definitely work 
with the current version of Squid.


FWIW, most of the basics are covered at
https://wiki.squid-cache.org/Features/SslPeekAndSplice

That page was written for a feature introduced in v3.5, but it is not 
specific to that Squid version.



HTH,

Alex.



 > On May 23, 2024, at 08:49, Alex Rousskov wrote:
 >
 > On 2024-05-22 03:49, Robin Wood wrote:
 >
 >> I'm trying to work out how to add an extra header to a TLS
connection.
 >
 > I assume that you want to add a header field to an HTTP request
or response that is being transmitted inside a TLS connection
between a TLS client (e.g., a user browser) and an HTTPS origin server.
 >
 > Do you control the client that originates that TLS connection (or
its OS/environment) or the origin server? If you do not, then what
you want is impossible -- TLS encryption exists, in part, to prevent
such traffic modifications.
 >
 > If you control the client that originates that TLS connection (or
its OS/environment), then you may be able to, in _some_ cases, add
that header by configuring the client (or its OS/environment) to
trust you as a Certificate Authority, minting your own X509
certificates, and configuring Squid to perform a "man in the middle"
attack on client-server traffic, using your minted certificates. You
can search for Squid SslBump to get more information about this
feature, but the area is full of insurmountable difficulties and
misleading advice. Avoid it if at all possible!
 >
 >
 > HTH,
 >
 > Alex.
 >
 >
 >> I've found information on how to do it on what I think is the
pre-3.5 release, but I can't find any useful information on doing it
on the current version.
 >> Could someone give me an example or point me at some
documentation on how to do it.
 >> Thanks
 >> Robin
 >> ___
 >> squid-users mailing list
 >> squid-users@lists.squid-cache.org

 >> https://lists.squid-cache.org/listinfo/squid-users

 >
 > ___
 > squid-users mailing list
 > squid-users@lists.squid-cache.org

 > https://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org

https://lists.squid-cache.org/listinfo/squid-users




___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adding an extra header to TLS connection

2024-05-23 Thread Robin Wood

On Thu, 23 May 2024 at 18:00, Jonathan Lee  wrote:

> I do use ssl bump again it requires certificates installed on the devices,
> and or some and a splice for the others. You must also add a url list for
> items that must never be intercepted like banks etc. I agree it is not an
> easy task, it took me years to get it to work correctly for what I needed.
> When it does work it works beautifully, you can cache updates and reuse
> them, you can use clam AV on https traffic. It’s not for everyone it will
> make you a wizard level 1000 if you can get it going.
>

Jonathan, can you give me an example of it working?

Oddly, you are replying to a message from Alex that I never received.

Alex, in answer to your questions...

I'm doing some testing against a client's site, they require a custom
header to allow my connections through their WAF. I could try to do this
manually with all my tools, but it would be easier to just have Squid do it
for me and then have the tools use Squid as their proxy. I can tell them to
not do cert checking or I can use my own CA and import it into the system
store, that is not a problem.

I've tried searching for Squid and sslbump and not found anything useful
that works with the current version, that is why I'm asking here, I was
hoping someone could point me at an example that would definitely work with
the current version of Squid.

Robin


> Sent from my iPhone
>
> > On May 23, 2024, at 08:49, Alex Rousskov <
> rouss...@measurement-factory.com> wrote:
> >
> > On 2024-05-22 03:49, Robin Wood wrote:
> >
> >> I'm trying to work out how to add an extra header to a TLS connection.
> >
> > I assume that you want to add a header field to an HTTP request or
> response that is being transmitted inside a TLS connection between a TLS
> client (e.g., a user browser) and an HTTPS origin server.
> >
> > Do you control the client that originates that TLS connection (or its
> OS/environment) or the origin server? If you do not, then what you want is
> impossible -- TLS encryption exists, in part, to prevent such traffic
> modifications.
> >
> > If you control the client that originates that TLS connection (or its
> OS/environment), then you may be able to, in _some_ cases, add that header
> by configuring the client (or its OS/environment) to trust you as a
> Certificate Authority, minting your own X509 certificates, and configuring
> Squid to perform a "man in the middle" attack on client-server traffic,
> using your minted certificates. You can search for Squid SslBump to get
> more information about this feature, but the area is full of insurmountable
> difficulties and misleading advice. Avoid it if at all possible!
> >
> >
> > HTH,
> >
> > Alex.
> >
> >
> >> I've found information on how to do it on what I think is the pre-3.5
> release, but I can't find any useful information on doing it on the current
> version.
> >> Could someone give me an example or point me at some documentation on
> how to do it.
> >> Thanks
> >> Robin
> >> ___
> >> squid-users mailing list
> >> squid-users@lists.squid-cache.org
> >> https://lists.squid-cache.org/listinfo/squid-users
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > https://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adding an extra header to TLS connection

2024-05-23 Thread Jonathan Lee

I do use ssl bump again it requires certificates installed on the devices, and 
or some and a splice for the others. You must also add a url list for items 
that must never be intercepted like banks etc. I agree it is not an easy task, 
it took me years to get it to work correctly for what I needed. When it does 
work it works beautifully, you can cache updates and reuse them, you can use 
clam AV on https traffic. It’s not for everyone it will make you a wizard level 
1000 if you can get it going.
Sent from my iPhone

> On May 23, 2024, at 08:49, Alex Rousskov  
> wrote:
> 
> On 2024-05-22 03:49, Robin Wood wrote:
> 
>> I'm trying to work out how to add an extra header to a TLS connection.
> 
> I assume that you want to add a header field to an HTTP request or response 
> that is being transmitted inside a TLS connection between a TLS client (e.g., 
> a user browser) and an HTTPS origin server.
> 
> Do you control the client that originates that TLS connection (or its 
> OS/environment) or the origin server? If you do not, then what you want is 
> impossible -- TLS encryption exists, in part, to prevent such traffic 
> modifications.
> 
> If you control the client that originates that TLS connection (or its 
> OS/environment), then you may be able to, in _some_ cases, add that header by 
> configuring the client (or its OS/environment) to trust you as a Certificate 
> Authority, minting your own X509 certificates, and configuring Squid to 
> perform a "man in the middle" attack on client-server traffic, using your 
> minted certificates. You can search for Squid SslBump to get more information 
> about this feature, but the area is full of insurmountable difficulties and 
> misleading advice. Avoid it if at all possible!
> 
> 
> HTH,
> 
> Alex.
> 
> 
>> I've found information on how to do it on what I think is the pre-3.5 
>> release, but I can't find any useful information on doing it on the current 
>> version.
>> Could someone give me an example or point me at some documentation on how to 
>> do it.
>> Thanks
>> Robin
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adding an extra header to TLS connection

2024-05-23 Thread Alex Rousskov


On 2024-05-22 03:49, Robin Wood wrote:


I'm trying to work out how to add an extra header to a TLS connection.


I assume that you want to add a header field to an HTTP request or 
response that is being transmitted inside a TLS connection between a TLS 
client (e.g., a user browser) and an HTTPS origin server.


Do you control the client that originates that TLS connection (or its 
OS/environment) or the origin server? If you do not, then what you want 
is impossible -- TLS encryption exists, in part, to prevent such traffic 
modifications.


If you control the client that originates that TLS connection (or its 
OS/environment), then you may be able to, in _some_ cases, add that 
header by configuring the client (or its OS/environment) to trust you as 
a Certificate Authority, minting your own X509 certificates, and 
configuring Squid to perform a "man in the middle" attack on 
client-server traffic, using your minted certificates. You can search 
for Squid SslBump to get more information about this feature, but the 
area is full of insurmountable difficulties and misleading advice. Avoid 
it if at all possible!



HTH,

Alex.


I've found information on how to do it on what I think is the pre-3.5 
release, but I can't find any useful information on doing it on the 
current version.


Could someone give me an example or point me at some documentation on 
how to do it.


Thanks

Robin

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] Adding an extra header to TLS connection

2024-05-22 Thread Robin Wood

Hi
I'm trying to work out how to add an extra header to a TLS connection.

I've found information on how to do it on what I think is the pre-3.5
release, but I can't find any useful information on doing it on the current
version.

Could someone give me an example or point me at some documentation on how
to do it.

Thanks

Robin
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adding an extra header to TLS connection

Re: [squid-users] Adding an extra header to TLS connection

Re: [squid-users] Adding an extra header to TLS connection

Re: [squid-users] Adding an extra header to TLS connection

[squid-users] Adding an extra header to TLS connection

5 matches

Site Navigation

Mail list logo

Footer information