enterprise-support team mailing list archive

[Simon Déziel <1860807@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

In order to do SSL bumping [1], it seems that squid needs to be
configured '--with-openssl'.

Justification/use cases:

Nowadays, HTTPS represents the majority of the traffic and it cannot be
observed as easily as HTTP. With SSL bumping, squid can use the SNI
header that is (still) in the cleartext portion of the SSL/TLS
connection and use that to allow/deny forwarding the connection. That is
the 'peek-n-splice' mode in upstream docs [2]. This mode doesn't
compromise the security/privacy of the intercepted traffic as SSL/TLS is
not terminated. The SNI inspection may be considered a privacy concern
by some.

One can also do fancier things like implementing a corporate MITM that
generates certs on the fly signed by locally trusted CA [3]. This
terminates the SSL/TLS connection in order to inspect the inner
communication. This "intrusion" is sometimes required by organization
policies.

I can only speak for my organization but we ran into multiple situations
where the peek-n-splice capability would have been handy. In other
scenarios, we would have appreciated the MITM version too, so I think
there is demand for such feature.

1: https://wiki.squid-cache.org/Features/SslBump
2: https://wiki.squid-cache.org/Features/SslPeekAndSplice
3: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

** Affects: squid (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to squid in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1860807

Title:
  Please support SSL bumping with '--with-openssl' configure option

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1860807/+subscriptions