Hello,
I was wondering what are the differences if we apply the ssl bump operation
at different steps?
The documentation contains information about only one difference - when we
bump at the step1 Proxy first establishes a TLS connection with the Client,
and then with the Server, while in the other cases - first with the Server,
and then with the Client.
I looked into this issue and tried to summarize the information I have (I
will not detail here the information available to the admin at each of the
three steps). Maybe it will help someone.
*1. step1*
Conf:
ssl_bump bump step1
Workflow:
step 1 (bump)
1. Client -> CONNECT aaa.bbb.ccc.ddd -> Proxy
2. Proxy -> HTTP 200 Connection established -> Client
3. Client -> Client Hello (SNI) -> Proxy
4. Proxy -> Makes Server Hello (with fake certificate for the SNI host) ->
Client
5. Client <- Complete TLS handshake -> Proxy
6. Proxy -> Makes Client Hello (based on the Client Hello SNI, but uses its
own cipher suites and TLS version) -> Server
7. Server -> Server Hello -> Proxy
8. Proxy <- Complete TLS handshake -> Server
9. Client -> HTTP Request -> Proxy
10. Proxy -> HTTP Request -> Server
11. Server -> HTTP Response -> Proxy
12. Proxy -> HTTP Response -> Client
...
*2. step2*
Conf:
ssl_bump stare step1
ssl_bump bump step2
Workflow:
step 1 (stare)
1. Client -> CONNECT aaa.bbb.ccc.ddd -> Proxy
2. Proxy -> HTTP 200 Connection established -> Client
step 2 (bump)
3. Client -> Client Hello (SNI) -> Proxy
4. Proxy -> Makes Client Hello (based on the Client Hello SNI, but *uses
its own cipher suites* and TLS version) -> Server
5. Server -> Server Hello -> Proxy
6. Proxy <- Complete TLS handshake -> Server
7. Proxy -> Makes Server Hello (with fake certificate for the SNI host with
mimicked attributes) -> Client
8. Client <- Complete TLS handshake -> Proxy
9. Client -> HTTP Request -> Proxy
10. Proxy -> HTTP Request -> Server
11. Server -> HTTP Response -> Proxy
12. Proxy -> HTTP Response -> Client
...
*3. step3*
Conf:
ssl_bump stare step1
ssl_bump stare step2
ssl_bump bump step3
Workflow:
step 1 (stare)
1. Client -> CONNECT aaa.bbb.ccc.ddd -> Proxy
2. Proxy -> HTTP 200 Connection established -> Client
step 2 (stare)
3. Client -> Client Hello (SNI) -> Proxy
step 3 (bump)
4. Proxy -> Makes Client Hello (based on the real Client Hello SNI, and
uses *Client's cipher suites* but its own TLS version) -> Server
5. Server -> Server Hello -> Proxy
6. Proxy <- Complete TLS handshake -> Server
7. Proxy -> Makes Server Hello (with fake certificate for the SNI host with
mimicked attributes) -> Client
8. Client <- Complete TLS handshake -> Proxy
9. Client -> HTTP Request -> Proxy
10. Proxy -> HTTP Request -> Server
11. Server -> HTTP Response -> Proxy
12. Proxy -> HTTP Response -> Client
...
We obtained these data by analyzing network dumps for each configuration.
Bumping at steps 2 and 3 are very similar, but in the first case, Proxy
sends Client Hello to a Server with its own ciphers, and in the latter case
- with ciphers received from the Client.
If anyone has any comments or additions, please feel free to complete it.
Kind regards,
Ankor.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
