Hi Deniz,
You can not use SSL SNI in squid unless you are intercepting the SSL
connection. So you need to touch the sslbump related code. I think you
should touch the httpsAccept function which is implemented in
client_side.cc file.
Some time ago created an experimental SNI patch which funded by
Measurement Factory which worked with intercepted connections and if I
am correct worked quite well with some restrictions (which may can be
resolved).
In the case you are interested contact Alex Rousskov and Measurement
Factory.
Regards,
Christos
On 08/03/2011 11:38 AM, Deniz Eren wrote:
> Hi again;
>
> I have changed tunnelStart(...) function a bit and now I can create
> fake HTTP request without depending on ClientHttpRequest, but problem
> is I could not find the right place to intercept connection and use
> tunnelStart(...) to forward HTTPS packets through squid. Can you give
> me ideas where to call tunnelStart(...) function and after that how to
> continue? (By the way I am doing all these stuff with squid-3.1.14).
>
> Good day to you..
>
>
>
>
> Amos Jeffries<squid3 () treenet ! co ! nz>
>
> We have not yet gotten around to implementing a "ssl" flag on http_port
> directives. You will need to start with that to allow detection of the
> case where ssl traffic is intercepted on a port.
>
> You will need to adjust TunnelStateData so that you can create it with
> only a Comm::Connection object instead of a ClientHttpRequest or
> HttpRequest object.
>
>
> You will need to then figure out what changes to ConnStateData are
> needed to detect the intercept+ssl flags case and do SNI instead of
> parsing an HTTP request. Have it spawn a TunnelStateData object to do
> the actual bit-relay work. Somehow making sure the whole SSL sequence
> including SNI data arrive properly at the destination server without
> getting lost or swallowed by Squids processing.
>
> Good luck.
>
>
> On Wed, Jul 6, 2011 at 9:34 AM, Deniz Eren<deniz_at_denizeren.net> wrote:
>> Hi;
>>
>> Can you give me an idea from where to start in order to pass https
>> traffic unprocessed through squid or implement SNI filtering for
>> squid, that will be enough to start my project.
>>
>> Thanks in advance..
>>
>>
>>
>> On Mon, Jul 4, 2011 at 3:04 PM, Deniz Eren<deniz_at_denizeren.net> wrote:
>>> Hi;
>>>
>>> I'm planning to work on an acl which uses SNI. But I need to pass
>>> https traffic through squid without processing it. Because I'm not
>>> interested in filtering or seeing the content, SNI server_name info
>>> will be enough. But with squid it is not possible to pass https
>>> traffic without processing it. In my design I won't use proxy, the
>>> iptables rule below will redirect https traffic to squid:
>>>
>>> iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT
>>> --to-destination 192.168.0.1:3128
>>>
>>> Can you give me ideas how to solve above problem? And also are you
>>> working on SNI filtering?
>>>
>>> Good day to you..
>>>
>>
>
>
>
Received on Wed Aug 03 2011 - 10:06:03 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 03 2011 - 12:00:03 MDT