[PATCH] SSL Peek and Splice

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Wed, 13 Aug 2014 14:20:21 +0300

Hi all,

This is a first patch which implements the Peek-and-Splice feature
described in wiki:
   http://wiki.squid-cache.org/Features/SslPeekAndSplice

The goal of this patch is to make SSL bumping decision after the origin
server name is known.

Short description
====================

Peek and Splice peeks at the SSL client Hello message and SNI info if
any (bumping step 1), sends identical or a similar Hello message to the
SSL server and peeks at the SSL server Hello message (bumping step 2),
and finally decides to proceed with splicing or bumping the connection
(bumping step 3).

After the step 1 bumping step completes the SNI information is available
and after the step 2 bumping step completes the server certificate is
available.

The ssl_bump access list evaluated on every bumping step to select the
bumping mode to use. The new acl "at_step" can be used to match the
current bumping step.

In most cases:
  - if the user select "peek" bumping mode at step2 then at step3 can select
    one of the "splice" or "terminate" modes.
  - If the user select "stare" bumping mode at step2 then at step 3 can
select
    one of the "bump" or "terminate" modes.

If the squid built with the SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK and
the client uses openSSL library similar to the library used by squid
then bumping is possible after "peek" bumping mode selection and
"splice" after "stare" bumping mode selection.

The bump, terminate and splice are final decisions.

Example configurations:

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump splice step2 BANKS
ssl_bump peek step2 all
ssl_bump terminate step3 BLACKLIST
ssl_bump splice step3 all

This is a Measurement Factory project

Received on Wed Aug 13 2014 - 11:20:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 19 2014 - 12:00:12 MDT