The goal of this patch is to make SSL bumping decision after the origin server
name is known.
Peek and Splice peeks at the SSL client Hello message and SNI info if any
(bumping step 1), sends identical or a similar Hello message to the SSL server
and peeks at the SSL server Hello message (bumping step 2), and finally
decides to proceed with splicing or bumping the connection (bumping step 3).
After the step 1 bumping step completes the SNI information is available and
after the step 2 bumping step completes the server certificate is available.
The ssl_bump access list evaluated on every bumping step to select the bumping
mode to use. The new acl "at_step" can be used to match the current bumping
step.
In most cases:
- if the user select "peek" bumping mode at step2 then at step3 can select
one of the "splice" or "terminate" modes.
- If the user select "stare" bumping mode at step2 then at step 3 can select
one of the "bump" or "terminate" modes.
If the squid built with the SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK and the
client uses openSSL library similar to the library used by squid then bumping
is possible after "peek" bumping mode selection and "splice" after "stare"
bumping mode selection.
The bump, terminate and splice are final decisions.
Example configurations:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump splice step2 BANKS
ssl_bump peek step2 all
ssl_bump terminate step3 BLACKLIST
ssl_bump splice step3 all
This is a Measurement Factory project
projects / thirdparty / squid.git / commitdiff
