Re: [squid-users] missing SNI support in squid makes trouble with sslbump

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Fri, 27 Jun 2014 09:10:29 -0600

On 06/27/2014 07:44 AM, Dieter Bloms wrote:

> I use squid 3.4.5 and sslbump works great for the most big sites like
> google and facebook ....
>
> There are some destinations, which share there ip with other virual
> webserver, so the client gets a default certificate from the server with a
> wrong CN. With SNI the client get the right certificate with the correct
> CN.
> I configured "ssl_bump server-first all", but to me it looks like squid
> doesn't do SNI and so gets the wrong certificate.

You are correct. With server-first bumping, Squid does not know client
SNI when establishing the connection with the server. With client-first
bumping, Squid knows client SNI (IIRC), but does not know the server
certificate details when establishing the connection with the client and
so it cannot mimic some important ones. Pick your poison.

> Does anybody know a workaround for this problem ?

Unfortunately, there is no way to detect SNI presence using ACLs right
now. Furthermore, client-first is not compatible with many transactions,
especially if you intercept. You can use TCP/IP-level information to
instruct Squid to use client-first bumping for sites that require SNI
_and_ appear to work in client-first mode (if any).

The Peek and Splice project lays the groundwork for proper SNI support,
but there is currently no volunteer or sponsor for the SNI-specific
changes IIRC: http://wiki.squid-cache.org/Features/SslPeekAndSplice

Cheers,

Alex.
Received on Fri Jun 27 2014 - 15:10:43 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 27 2014 - 12:00:05 MDT