Squid ssl_bump always makes outbound connection

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid ssl_bump always makes outbound connection

Eric Lackey-2
Using squid-4.2-1.el7.x86_64

I'm looking at ways to optimize Squid when using ssl_bump. We use the peek & splice approach now and it works pretty well. 

While running some tests, I noticed that Squid always makes an outbound connection to the remote server regardless of when I terminate the connection. I'm trying to build a configuration that denies traffic immediately if the client SNI header doesn't match without making a connection to the remote host.

Here is a very simple configuration that should terminate all connections after step1. The connection is terminated, but by running a tcpdump at the same time, I see that Squid still makes an outbound connection.

acl step1 at_step SslBump1
ssl_bump terminate step1

I would expect that if I terminate after step1, the connection to the remote server should never be made. Can anyone help me understand why Squid would still make the outbound connection in this instance? 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid ssl_bump always makes outbound connection

Alex Rousskov
On 08/25/2018 08:35 AM, Eric Lackey wrote:
> Using squid-4.2-1.el7.x86_64

> acl step1 at_step SslBump1
> ssl_bump terminate step1

> I would expect that if I terminate after step1, the connection to the
> remote server should never be made. Can anyone help me understand why
> Squid would still make the outbound connection in this instance?

Sounds like a Squid bug to me. There were several bugs related to
handing final step1 configurations because SslBump developers often did
not test them when modifying other SslBump aspects. Some of those bugs
still remain. This could be one of them.

I suggest filing a Squid bug report with a single-transaction ALL,9
cache.log attached.


Good luck,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid ssl_bump always makes outbound connection

Eliezer Croitoru
In reply to this post by Eric Lackey-2

Thanks for testing.

 

I didn’t got to this level yet…

I am trying to test couple aspects but I believe that this step is so fast that I didn’t noticed it even there.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]

 

From: squid-users [mailto:[hidden email]] On Behalf Of Eric Lackey
Sent: Saturday, August 25, 2018 5:36 PM
To: [hidden email]
Subject: [squid-users] Squid ssl_bump always makes outbound connection

 

Using squid-4.2-1.el7.x86_64

 

I'm looking at ways to optimize Squid when using ssl_bump. We use the peek & splice approach now and it works pretty well. 

 

While running some tests, I noticed that Squid always makes an outbound connection to the remote server regardless of when I terminate the connection. I'm trying to build a configuration that denies traffic immediately if the client SNI header doesn't match without making a connection to the remote host.

 

Here is a very simple configuration that should terminate all connections after step1. The connection is terminated, but by running a tcpdump at the same time, I see that Squid still makes an outbound connection.

 

acl step1 at_step SslBump1

ssl_bump terminate step1

 

I would expect that if I terminate after step1, the connection to the remote server should never be made. Can anyone help me understand why Squid would still make the outbound connection in this instance? 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users