Re: [squid-users] Bypassing SSL Bump for dstdomain

On 03/05/2013 09:15 PM, Amm wrote:
> ----- Original Message -----
>> From: Alex Rousskov <rousskov_at_measurement-factory.com>
>> To: "squid-users_at_squid-cache.org" <squid-users_at_squid-cache.org>
>> Cc:
>> Sent: Wednesday, 6 March 2013 6:20 AM
>> Subject: Re: [squid-users] Bypassing SSL Bump for dstdomain
>>
>> On 03/04/2013 10:11 PM, Amm wrote:
>>
>>>> # Let user specify domains to avoid decrypting, such as internet banking
>>>> acl bump-bypass dstdomain .commbank.com.au
>>>> ssl_bump none bump-bypass
>>>> ssl_bump server-first all

>>> This will not work for intercepting traffic. Because domain is known
>>> only after SSL connection is established. So certificate stage etc
>>> has already passed.

>> It will work but only if the reverse DNS lookup for the intercepted IP
>> address works: ssl_bump supports slow ACLs, and dstdomain is a slow ACL
>> if given an IP address.

> As per http://www.squid-cache.org/Doc/config/acl/ its a fast ACL.
>
> acl aclname dstdomain .foo.com ...
> # Destination server from URL [fast]

... but could be a slow ACL. Read a few lines lower:

> # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
> # based URL is used and no match is found. The name "none" is used
> # if the reverse lookup fails.

>>> I am also assuming that squid checks IP based ACLs for ssl_bump
>>> before establishing connection with client.

>> Squid checks all ssl_bump ACLs before establishing a TCP connection with
>> the server. The TCP connection from the client is already accepted (or
>> intercepted) by the time ssl_bump ACL is checked.

> What I would like to know is, does squid check ssl_bump ACL before starting
> SSL connection with client OR after? (for intercepting on https_port)

Squid does not establish an SSL connection with the TCP client if
"ssl_bump none" matches.

HTH,

Alex.
Received on Wed Mar 06 2013 - 06:18:31 MST