Re: [PATCH] https_port interception options

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Mon, 17 Jun 2013 08:29:25 -0600

On 06/17/2013 12:10 AM, Amos Jeffries wrote:
> On 8/06/2013 3:36 a.m., Alex Rousskov wrote:
>> Furthermore, Squid is already capable of proxying intercepted SSL (and
>> other connections) without any bumping. There is no good configuration
>> support for that at the moment(**), but making ssl-bump implicit will
>> prevent us from adding such support in the future. We should not lock
>> ourselves out from that desirable enhancement.

> No. Please look at the if-statements which this patch is altering again.
>
> if (hijacked && !s->flags.tunnelSslBumping) {
> ...
> self_destruct();
> }
>
> There is no way to configure working interception for 3.3+ on https_port
> without "ssl-bump" flag being present as well.

Yes, but that does not contradict what I said: The capability to proxy
without bumping is there, but there is no good configuration support for
it (because a combination of ssl-bump and "ssl_bump none" for port
traffic is currently required). We should not change configuration
support in a way that will prevent us from providing a good way to
nicely enable that existing capability in the future. Making ssl_bump
implicit is such a change.

>> There are other reasons to avoid this change. If you disagree with my
>> position, please document the reasons you think this change is desirable
>> (your description says what the patch does but not why we should do it).
>
> The intention of this patch was to make your "Furthermore," argument
> case actually work.

Implicitly enabling ssl_bump is the opposite of what we should do in
this case.

> You have shown why it wont work (ssl_bump access list checks also halt
> the proxy, and more reliance on the ssl-bump hack). But we still need
> something to do that.

We need to change code so that when an https_port does not have an
ssl-bump option, the traffic received on that port acts as if "ssl-bump
none" was configured for it (i.e., the traffic is forwarded without
bumping). After those changes, SslBump will continue to be disabled for
that port, but the forwarding-only configuration will be allowed.

HTH,

Alex.
Received on Mon Jun 17 2013 - 14:29:47 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 17 2013 - 12:00:13 MDT