Re: filtering HTTPS/CONNECT (summary and continuation of discussion)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Fri, 16 Mar 2012 17:04:18 -0600

On 03/16/2012 03:05 PM, Marcus Kool wrote:

> How do we go on from here?

I recommend splitting this big problem into several smaller areas:

Tunnel classification: As Henrik noted, Squid should wait for client (or
server!) handshake before starting the SSL handshake with the server.
Waiting for one of the sides to speak first (i.e., before Squid) allows
us to categorize the tunnel intent: SSL, HTTP, Other. This step is
critical for other projects below.

HTTP tunnel: Either go to tunnel.cc or process almost as a regular
request stream. Make the choice configurable.

SSL tunnel: Use bump-server-first. Add SNI forwarding support. If SSL
handshake with the server fails (there are many broken and weird servers
out there!), bump-server-first returns a secure error to the client. In
some cases, it may be better to re-tunnel the server end (without
bumping) or just close the client connection immediately. The former
requires serious coding effort; the latter does not, but both are pretty
straightforward. And make the choice configurable.

Other tunnel: When a non-HTTP traffic is encountered at the beginning of
a tunnel, switch to the tunneling mode or terminate both connections.
Make the choice configurable.

Filterable Other tunnels (bumped or not!): Define a protocol and/or API
to adapt tunnel.cc (or similar) I/O. Learn from ICAP mistakes. Implement
the client/hosting side of that protocol/API in Squid. 3rd parties will
implement the service/adapter sides.

Did I miss any big cases?

As you can see, all of the above are pretty much independent projects.
Are _you_ interested in all or just some of them?

Will you do any work on Squid itself or are you looking for a volunteer
on our end? If it is the former, would you like to create dedicated wiki
pages for those projects you are interested in and start nailing down
the details?

If you are looking for volunteers to work on the Squid side, then I
would not recommend doing much on your end until you secure at least one
such person. Otherwise, you may end up with a filter that you cannot
attach to Squid.

Thank you,

Alex.
Received on Fri Mar 16 2012 - 23:04:25 MDT

This archive was generated by hypermail 2.2.0 : Sat Mar 17 2012 - 12:00:10 MDT