- Defines three steps of the SSL bumping processing:
step1: Get TCP-level and CONNECT info. Evaluate ssl_bump and perform
the first matching action (splice, bump, peek, stare, terminate,
or err)
step2: Get SSL Client Hello info. Evaluate ssl_bump and perform the
first matching action (splice, bump, peek, stare, terminate,
or err). Peeking usually prevents future bumping. Staring
usually prevents future splicing.
step3: Get SSL Server Hello info. Evaluate ssl_bump and perform the
first matching action (splice, bump, terminate, or err).
In most cases, the only remaining choice at this step is
whether to terminate the connection. The splicing or bumping
decision is usually dictated by either peeking or staring at the
previous step.
- The ssl_bump ACLs list may evaluated in all SSL Bumping processing steps to
take a decision for the next step:
splice or none: Become a TCP tunnel without decoding the connection.
bump: Establish a secure connection with the server and, using a
mimicked server certificate, with the client
peek: Receive client (step1) or server (step2) certificate while
preserving the possibility of splicing the connection. Peeking
at the server certificate usually precludes future bumping of
the connection.
stare: Receive client (step1) or server (step2) certificate while
preserving the possibility of bumping the connection. Staring at
the server certificate usually precludes future splicing of the
connection.
terminate or err: Close client and server connections.
All actions except peek and stare correspond to final decisions: Once an
ssl_bump directive with a final action matches, no further ssl_bump
evaluations will take place, regardless of the current processing step.
- Add the atstep acl to match against SSL bumping step: "step1", "step2" or
"step3"
Current Implementation details:
---------------------------------
1) If the "peek" mode selected in step2 then the client hello message
forwarded to server. If this mode selected in step2 the splice is always
possible and bump maybe is not possible (in most cases where the client uses
different SSL client library implementation)
2) If the "stare" mode selected in step2 then the squid builds a new
hello message, which try to mimic, if it is possible , client hello message.
If stare selected in step2 the bump is always possible, but splice maybe is
not possible any more.
3) In step3 if bump decided, and bump is not possible any more then squid
is always splicing.
4) In step3 if splice decided but splice is not possible any more then
squid is always bumping.
5) Because of (3) and (4), in practice, if firefox browser used with
peek mode, squid always splice the connection, because squid/openSSL
does not support the firefox SSL features reported in client hello message.
6) In step2 if ACL list evaluation result to terminate or err then we just
close client connection. If the check result to ssl-bump then just bump.
If check result to client-first, server-first, then bump the connection
else do peek/stare.
7) In step3 the ssl_bump ACL list evakuation result client-first, server-first,
bump or peek result to bumping (if bumping is possible).