Re: [squid-users] Bypassing SSL Bump for dstdomain

From: Christos Tsantilas <christos_at_chtsanti.net>
Date: Wed, 06 Mar 2013 16:11:03 +0200

On 03/06/2013 06:15 AM, Amm wrote:
>> On 03/04/2013 10:11 PM, Amm wrote:
>>
>>>> # Let user specify domains to avoid decrypting, such as internet
>> banking
>>>> acl bump-bypass dstdomain .commbank.com.au
>>>> ssl_bump none bump-bypass
>>>> ssl_bump server-first all
>>
>>
>>> This will not work for intercepting traffic. Because domain is known
>>> only after SSL connection is established. So certificate stage etc
>>> has already passed.
>>
>> It will work but only if the reverse DNS lookup for the intercepted IP
>> address works: ssl_bump supports slow ACLs, and dstdomain is a slow ACL
>> if given an IP address.
>
> As per http://www.squid-cache.org/Doc/config/acl/ its a fast ACL.
>
> acl aclname dstdomain .foo.com ...
> # Destination server from URL [fast]

The documentation should say that it is fast in most cases....

If the user has use the ip address and not the host name as part of the
url, then squid has to do a reverse lookup to find the domain name.

In the case of transparent SSL interception, squid will have only the ip
address of the destination server so the reverse lookup required.

The problem with the reverse lookup is that in most cases will not give
you the correct domain name. For example a "host www.paypal.com" return
the ip address "23.55.226.234". But the "host 23.55.226.234" return as
domain name: <-something->.akamaitechnologies.com

Also the paypal example maybe says that it is difficult to find a
correct ip address range for some SSL sites...

Regards,
   Christos
Received on Wed Mar 06 2013 - 14:11:18 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 06 2013 - 12:00:04 MST