Re: [squid-users] Issue when SSL bump bypass some domains from Alex Rousskov on 2013-12-10 (squid-users)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Tue, 10 Dec 2013 22:50:12 -0700

On 12/10/2013 09:13 PM, Neddy, NH. Nam wrote:
> Hi,
>
> I've installed squid 3.4 STABLE for forward proxying with ssl-bump
> (followed Squid Wiki). Everything is fine until client visit https
> pages which have bad certificates (ie. seft signed).
>
> My configure to tell Squid bypass those:
>
> acl bypass-ssl dstdomain *.website.com
>
> ssl_bump none bypass-ssl
> ssl_bump server-first all

OK, but please note that the above only works if

a) The CONNECT request is using a domain name;

b) The CONNECT request is using an IP address. Squid can get a domain
name by doing a reverse DNS lookup on that IP address _and_ the result
of that reverse lookup is the domain name you expect and not some
internal/irrelevant/different domain.

In many cases, neither (a) nor (b) are true.

> The result is Squid bypasses ACL but still do ssl-bump, and client
> still receive generated cert from Squid.

Sorry, the above sentence is unclear, especially the "Squid bypasses
ACL" part. You may want to rephrase.

> I've expected ssl_bump will not terminate ssl by those
> directive, If so, what should I do?

Yes, if bypass-ssl matches, Squid should not terminate SSL.

Here is the suggested troubleshooting plan.

1) Collect the CONNECT request that violates your expectations. Use
"debug_options ALL,2" in squid.conf, packet capture, custom access.log,
whatever works best for you. Once you have the request, you can repeat
it if needed, in isolation, using tools like nc, curl, wget, etc.

2) Determine whether that CONNECT request is using an IP address for the
tunnel destination. If CONNECT is using a domain name, should the
bypass-ssl match that domain? If bypass-ssl should match but does not,
report a bug.

3) If CONNECT request is using an IP address, perform a reverse DNS
lookup yourself, using the same DNS resolver that Squid is using. "Dig"
or even "host" command may be used for that in most cases. Do you get a
DNS answer with a domain name? Should that domain name match your
bypass-ssl ACL? If bypass-ssl should match in this case but does not,
report a bug.

The above plan does not cover all possibilities, but is a good start.

If you need to report a bug, change debug_options to ALL,9; reproduce
the problem using a single request (with no other traffic going through
Squid); and post the compressed cache.log.

Good luck,

Alex.
Received on Wed Dec 11 2013 - 05:50:44 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 11 2013 - 12:00:05 MST