difference of settings doing the same as it seems

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

difference of settings doing the same as it seems

Walter H.
Hello,

I found out something strange

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"

# I had these 3 settings - most worked, but only a few hosted at
cloudflare worked: problems with SNI there, but only there
#ssl_bump stare step1 all
#ssl_bump splice nobumpsites
#ssl_bump bump all

# so I did these 3 settings
ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare all

the file above contains server names where no SSL interception should be
done, e.g. banking;

can someone explain the difference between these two ways - the
commented ones and the other 3 settings?

Thanks,
Walter


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: difference of settings doing the same as it seems

Alex Rousskov
On 11/14/19 2:06 PM, Walter H. wrote:

> #ssl_bump stare step1 all
> #ssl_bump splice nobumpsites
> #ssl_bump bump all

> ssl_bump peek step1
> ssl_bump splice nobumpsites
> ssl_bump stare all

Both configurations peek at the TLS client Hello. Both configurations
splice nobumpsites during step2 when nobumpsites matches during that
step. Now about the differences:

The first configuration bumps bumpsites (i.e. sites that did not match
nobumpsites) during step2, before the server certificate details are
known. It never reaches step3.

The second configuration uses the implicit "bump if the action during
the previous step was stare and no applicable actions matched during the
current step" rule to bump bumpsites during step3, after learning the
server certificate details.


You can rewrite these two configurations to be more symmetrical but
still have the same respective outcomes:

  # bump at step2
  ssl_bump peek step1
  ssl_bump splice nobumpsites
  ssl_bump bump all

  # bump at step3
  ssl_bump peek step1
  ssl_bump splice nobumpsites
  ssl_bump stare step2
  ssl_bump bump all

As you can see, the only difference is the "stare step2" rule which
allows Squid to learn the server certificate details and incorporate
those details into the generated fake certificate when the connections
are bumped.


> can someone explain the difference between these two ways - the
> commented ones and the other 3 settings?

If you had good reasons to think that the two configuration are the
same, consider contributing Squid documentation adjustments to better
explain why they are not.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users