Re: Fwd: HTTPS pass through / SNI filtering

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Aug 2011 21:21:17 +1200

On 03/08/11 20:38, Deniz Eren wrote:
> Hi again;
>
> I have changed tunnelStart(...) function a bit and now I can create
> fake HTTP request without depending on ClientHttpRequest, but problem
> is I could not find the right place to intercept connection and use
> tunnelStart(...) to forward HTTPS packets through squid. Can you give
> me ideas where to call tunnelStart(...) function and after that how to
> continue? (By the way I am doing all these stuff with squid-3.1.14).
>
> Good day to you..

In src/client_side.cc the function called httpsAccept() is run on each
new connection.

Near the end it runs "commSetSelect(newfd, COMM_SELECT_READ, ..." to
kick off the SSL negotiation. Which in turn starts the regular HTTPS
receive handling.

I think you need to do something at that point like:

   if (s->intercepted) {
     ... new call to handle SNI and lead on to tunnel creation.
   } else {
     commSetSelect(newfd, COMM_SELECT_READ, clientNegotiateSSL ...);
   }

Then you configure a regular https_port with the "intercept" mode set
and connections to it will run through your code.

Amos

>
> Amos Jeffries<squid3 () treenet ! co ! nz>
>
> We have not yet gotten around to implementing a "ssl" flag on http_port
> directives. You will need to start with that to allow detection of the
> case where ssl traffic is intercepted on a port.
>
> You will need to adjust TunnelStateData so that you can create it with
> only a Comm::Connection object instead of a ClientHttpRequest or
> HttpRequest object.
>
>
> You will need to then figure out what changes to ConnStateData are
> needed to detect the intercept+ssl flags case and do SNI instead of
> parsing an HTTP request. Have it spawn a TunnelStateData object to do
> the actual bit-relay work. Somehow making sure the whole SSL sequence
> including SNI data arrive properly at the destination server without
> getting lost or swallowed by Squids processing.
>
> Good luck.
>
>
> On Wed, Jul 6, 2011 at 9:34 AM, Deniz Eren<deniz_at_denizeren.net> wrote:
>> Hi;
>>
>> Can you give me an idea from where to start in order to pass https
>> traffic unprocessed through squid or implement SNI filtering for
>> squid, that will be enough to start my project.
>>
>> Thanks in advance..
>>
>>
>>
>> On Mon, Jul 4, 2011 at 3:04 PM, Deniz Eren<deniz_at_denizeren.net> wrote:
>>> Hi;
>>>
>>> I'm planning to work on an acl which uses SNI. But I need to pass
>>> https traffic through squid without processing it. Because I'm not
>>> interested in filtering or seeing the content, SNI server_name info
>>> will be enough. But with squid it is not possible to pass https
>>> traffic without processing it. In my design I won't use proxy, the
>>> iptables rule below will redirect https traffic to squid:
>>>
>>> iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT
>>> --to-destination 192.168.0.1:3128
>>>
>>> Can you give me ideas how to solve above problem? And also are you
>>> working on SNI filtering?
>>>
>>> Good day to you..
>>>
>>
>
>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.10
Received on Wed Aug 03 2011 - 09:21:32 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 03 2011 - 12:00:03 MDT