From: Christos Tsantilas Date: Wed, 27 Aug 2014 08:05:25 +0000 (+0300) Subject: SSL Peek and Splice X-Git-Tag: SQUID_3_5_0_1~89 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=091c880dd2237fd4f0bc7f549736bd1caf0a580b;p=thirdparty%2Fsquid.git SSL Peek and Splice The goal of this patch is to make SSL bumping decision after the origin server name is known. Peek and Splice peeks at the SSL client Hello message and SNI info if any (bumping step 1), sends identical or a similar Hello message to the SSL server and peeks at the SSL server Hello message (bumping step 2), and finally decides to proceed with splicing or bumping the connection (bumping step 3). After the step 1 bumping step completes the SNI information is available and after the step 2 bumping step completes the server certificate is available. The ssl_bump access list evaluated on every bumping step to select the bumping mode to use. The new acl "at_step" can be used to match the current bumping step. In most cases: - if the user select "peek" bumping mode at step2 then at step3 can select one of the "splice" or "terminate" modes. - If the user select "stare" bumping mode at step2 then at step 3 can select one of the "bump" or "terminate" modes. If the squid built with the SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK and the client uses openSSL library similar to the library used by squid then bumping is possible after "peek" bumping mode selection and "splice" after "stare" bumping mode selection. The bump, terminate and splice are final decisions. Example configurations: acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump splice step2 BANKS ssl_bump peek step2 all ssl_bump terminate step3 BLACKLIST ssl_bump splice step3 all This is a Measurement Factory project --- 091c880dd2237fd4f0bc7f549736bd1caf0a580b