[squid-users] about sni

Discussion:

HackXBack

2016-02-15 23:46:24 UTC

What are the requirements for ssl::server_name to work with SNI (squid
3.5.12) ?

In principle, I want to do this (from squid.conf):
....
# get the public TLS metadata (includes SNI)
ssl_bump peek all

# block based on SNI matching
acl blocked ssl::server_name .example.com
ssl_bump terminate blocked

# tunnel (no decrypting) for everything else
ssl_bump splice all
.....

Few questions regarding the pre-requisites for this to work:
- It should not be necessary to install squids cert in the client, correct ?
- squid.conf: Anything missing in next line (cert for squid ) ?
http_port 3129 intercept ssl-bump
- Anything else required ?

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Amos Jeffries

2016-02-16 01:13:14 UTC

Permalink

Post by HackXBack
What are the requirements for ssl::server_name to work with SNI (squid
3.5.12) ?
....
# get the public TLS metadata (includes SNI)
ssl_bump peek all

This will peek at both step 1 and 2.

Post by HackXBack
# block based on SNI matching
acl blocked ssl::server_name .example.com
ssl_bump terminate blocked

This is only reached at step 3. Which means it will happen based on
server cert matchign (*NOT SNI*). Also, terminate seems to require
similar operations to bump, so after the step 2 peek it may not work
reliably.

Post by HackXBack
# tunnel (no decrypting) for everything else
ssl_bump splice all
.....
- It should not be necessary to install squids cert in the client, correct ?

Correct. SNI has nothing to do with whether the client trusts *Squids*
certificate.

Post by HackXBack
- squid.conf: Anything missing in next line (cert for squid ) ?
http_port 3129 intercept ssl-bump

The cert= settings are still required here, that is just to get ssl-bump
operating.

Post by HackXBack
- Anything else required ?

* The client is required to send SNI.

* Squid peek or stare action is required to be configured at step 1 of
ssl_bump processing.

That is all.

Amos

HackXBack

2016-02-16 01:15:22 UTC

Permalink

so am using wrong conf,
please can you help me to right conf to make sni work if cant be bumped ?

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p4676007.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Amos Jeffries

2016-02-16 06:36:58 UTC

Permalink

Post by HackXBack
so am using wrong conf,
please can you help me to right conf to make sni work if cant be bumped ?

If I am understanding you right you need to add this:

acl step1 at_step SslBumpStep1

Then, replace the "peek all" with "peek step1"

Amos

HackXBack

2016-02-16 10:18:00 UTC

Permalink

okay now i have this

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all

but all https connections is TCP_TUNNEL/200
i need only sni requests that cant be bumped to be TCP_TUNNEL/200 !!!
and the other request must bumped and decrypt !!

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p4676022.html
Sent from the Squid - Users mailing list archive at Nabble.com.

HackXBack

2016-02-16 19:14:33 UTC

Permalink

why SNI connection not work ?
any applications on mobile android or apple is not working when doing
ssl_bump !!
maybe i miss some thing ? otherwise bumping https is unusefull !!

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p4676031.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Yuri Voinov

2016-02-16 19:43:28 UTC

Permalink

I suggest, more correctly term is:

"Not ALL applications on apple or android works".

Yes?

Also I suggest you meet with pinned connections. ;) They can't be
bumped. For now ;)

Post by HackXBack
why SNI connection not work ?
any applications on mobile android or apple is not working when doing
ssl_bump !!
maybe i miss some thing ? otherwise bumping https is unusefull !!
--

http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p4676031.html

Post by HackXBack
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users

HackXBack

2016-02-16 19:20:48 UTC

Permalink

its okay i dont want to bump them !! but at least make them work !!
most applications used pinned connections !!
most of them is not working at all !!
connection cant established at all !!

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p4676034.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Yuri Voinov

2016-02-16 19:47:44 UTC

Permalink

Wow,wow, not most and any ;)

Use splice, Luke :))))) This thing for it. :)

Post by HackXBack
its okay i dont want to bump them !! but at least make them work !!
most applications used pinned connections !!
most of them is not working at all !!
connection cant established at all !!
--

http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p4676034.html

Alex Rousskov

2016-02-16 19:47:39 UTC

Permalink

Post by Amos Jeffries
Also, terminate seems to require
similar operations to bump, so after the step 2 peek it may not work
reliably.

The terminate action (i.e., TCP connection(s) closure) should not
require anything and should be usable at all steps, regardless of the
SslBump state. Any deviation from that is a bug.

AFAIK, one such bug was filed:

http://bugs.squid-cache.org/show_bug.cgi?id=4321

Alex.

Continue reading on narkive:

Search results for '[squid-users] about sni' (Questions and Answers)

replies

Installing a PAC SNI-35 Adjustable Line Output Converter?

started 2010-03-28 11:06:46 UTC

car audio

replies

What language is this?

started 2012-10-21 02:37:21 UTC

languages

replies

how to hook up a pac sni-35 adjustable 2-channel line out converter?