Re: [squid-users] SSL bump working on most site...cert pinning issue?

From: James Lay <jlay_at_slave-tothe-box.net>
Date: Mon, 30 Jun 2014 10:49:43 -0600

On 2014-06-30 07:13, Dan Charlesworth wrote:
> No worries.
>
> Sounds like this is the feature you should be waiting with baited
> breath for: http://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> I’m not a developer so I have no idea how far along that is right
> now.
>
> On 30 Jun 2014, at 11:05 pm, James Lay <jlay_at_slave-tothe-box.net>
> wrote:
>
>> On Mon, 2014-06-30 at 22:56 +1000, Dan Charlesworth wrote:
>>> Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are
>>> another popular one that use pinning.
>>>
>>> As far as your broken_sites ACL goes, you can’t use `dstdomain`
>>> because the only thing Squid can see of the destination before
>>> bumping an intercepted connection is the IP address. So for `ssl_bump
>>> none` you’ll need to be use `dst` ACLs instead.
>>>
>>> ProTip: Here are the Apple and Akamai public IP blocks (to use in a
>>> dst equivalent of your broken_sites), respectively: 17.0.0.0/8,
>>> 23.0.0.0/12.
>>>
>>> Good luck
>>>
>>> On 30 Jun 2014, at 10:38 pm, James Lay <jlay_at_slave-tothe-box.net>
>>> wrote:
>>>
>>>> Topic pretty much says it...most sites work fine using my below
>>>> set up,
>>>> but some (Apple's app store) do not. I'm wondering if cert
>>>> pinning is
>>>> the issue? Since this set up is basically two separate sessions,
>>>> I
>>>> packet captured both. The side the I have control over gives me a
>>>> TLS
>>>> Record Layer Alert Close Notify. I am unable to decrypt the other
>>>> side
>>>> as the device in question is an iDevice and I can't capture the
>>>> master
>>>> secret.
>>>>
>>>> I've even tried to ACL certain sites to not bump, but they don't
>>>> go
>>>> through. Below is my complete setup. This is running the below:
>>>>
>>
>> Ah good catch thank you. I've seen expensive proxy appliances just
>> tunnel the traffic through, but they get the host and domain name to
>> all
>> control...which is really all I'm wanting to do is control what
>> sites
>> are allowed. I'll give your suggestions a go...thank you.
>>
>> James
>>

Thanks Dan..looks like that's what I'll be watching for.

James
Received on Mon Jun 30 2014 - 16:49:50 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 30 2014 - 12:00:05 MDT