ALPN, HTTP/2 and sslbump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ALPN, HTTP/2 and sslbump

senor
I am surprised that I didn't find this question asked and answered
recently. Maybe this issue is newer than I realize.

I understand that support of HTTPS/2 is in development but I'd like to
better understand what is and is not currently supported. I discovered
the other day that an intercepted client https connection, which
included both h2 and http/1.1 in the ALPN extension, was tunneled when
the server responded with only h2. I'm assuming that was due to squid
not fully supporting HTTP/2.

My initial need is to prevent the tunnel. Preferably by forcing http/1.1
and bumping but just denying the connection is second best. I'm not
aware of any squid built-in mechanisms to manage ALPN or HTTP/2 so I'm
thinking the external_acl is the only way to go. I think the client ALPN
data is available at bump step 2 but what options do I have at that point?

Help or corrections to my assumptions are appreciated.

Senor

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ALPN, HTTP/2 and sslbump

Amos Jeffries
Administrator
On 08/11/17 17:15, senor wrote:
> I am surprised that I didn't find this question asked and answered
> recently. Maybe this issue is newer than I realize.
>
> I understand that support of HTTPS/2 is in development but I'd like to
> better understand what is and is not currently supported. I discovered
> the other day that an intercepted client https connection, which
> included both h2 and http/1.1 in the ALPN extension, was tunneled when
> the server responded with only h2. I'm assuming that was due to squid
> not fully supporting HTTP/2.

Hmm. If you are using SSL-Bump to bump the traffic the current Squid
should be delivering an ALPN containing only HTTP/1.1 to the server.
Sending h2 in the ALPN is only valid if the proxy supports h2 natively
or intends up front to splice the transaction back to "tunneled".


>
> My initial need is to prevent the tunnel. Preferably by forcing http/1.1
> and bumping but just denying the connection is second best. I'm not
> aware of any squid built-in mechanisms to manage ALPN or HTTP/2 so I'm
> thinking the external_acl is the only way to go. I think the client ALPN
> data is available at bump step 2 but what options do I have at that point?
>
> Help or corrections to my assumptions are appreciated.
>

Any info about your Squid version, and squid.conf contents - especially
http_access and SSL-Bump related things would be useful. Random guesses
about complex things like TLS are harmful to solving actual problems.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ALPN, HTTP/2 and sslbump

senor
Thanks Amos. I guess I was assuming that squid was just copying the ALPN
extension info from Client Hello without regard to capabilities (squid
3.5.26). I'll take another stab at the debug info and post more details
if that doesn't pop something up.


Senor


On 11/7/2017 20:29, Amos Jeffries wrote:

> On 08/11/17 17:15, senor wrote:
>> I am surprised that I didn't find this question asked and answered
>> recently. Maybe this issue is newer than I realize.
>>
>> I understand that support of HTTPS/2 is in development but I'd like to
>> better understand what is and is not currently supported. I discovered
>> the other day that an intercepted client https connection, which
>> included both h2 and http/1.1 in the ALPN extension, was tunneled when
>> the server responded with only h2. I'm assuming that was due to squid
>> not fully supporting HTTP/2.
>
> Hmm. If you are using SSL-Bump to bump the traffic the current Squid
> should be delivering an ALPN containing only HTTP/1.1 to the server.
> Sending h2 in the ALPN is only valid if the proxy supports h2 natively
> or intends up front to splice the transaction back to "tunneled".
>
>
>>
>> My initial need is to prevent the tunnel. Preferably by forcing http/1.1
>> and bumping but just denying the connection is second best. I'm not
>> aware of any squid built-in mechanisms to manage ALPN or HTTP/2 so I'm
>> thinking the external_acl is the only way to go. I think the client ALPN
>> data is available at bump step 2 but what options do I have at that
>> point?
>>
>> Help or corrections to my assumptions are appreciated.
>>
>
> Any info about your Squid version, and squid.conf contents -
> especially http_access and SSL-Bump related things would be useful.
> Random guesses about complex things like TLS are harmful to solving
> actual problems.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users