Re: [squid-users] How Bad is CONNECT and Should I Prevent It?

From: K K <kkadow@dont-contact.us>
Date: Tue, 19 Jun 2007 16:13:29 -0500

On 6/19/07, Vadim Pushkin <wiskbroom@hotmail.com> wrote:
> I am only looking to inspect each SSL connection for the purposes of
> determining if the traffic should be allowed, i.e. non-malicious (not chat,
> file-transfer, etc).

If you actually want to inspect the protocol inside the SSL, I'm not
aware of any free products in this space, but it is a feature of a
growing number of commercial products. These all, TMK, assume that
you are able to load your own additional trusted root certificate on
all clients -- this is trivial in corporations, might be more
difficult in a university, and shouldn't be considered by a
traditional ISP (back to the privacy implications I mentioned
previously).

> Can anyone recommend such a product? Also, I should mention, I am not
> looking to spend alot of money.

Blue Coat street price starts at about $3K. Their ProxySG product
supports internet standards including ICAP and ICP, and should be
fully capable of participating in a Squid hierarchy (I haven't tested
this...yet) as an ICP parent/child/peer. The base license includes IM
controls and a 'Is this really SSL?' test, but SSL termination
requires an add-on license. Also, their URL categorization engine can
accept databases from many of the top censorware vendors (or their
own), licensed "per seat".

> Are their any plans on the roadmap to do
> this sort of traffic analysis within Squid?

I'm not aware of any.
ICAP doesn't support MITM "CONNECT" tunnel handling, though some ICAP
clients will forward the connect "URL" to an ICAP service to be
approved or denied, the ICAP standard doesn't allow for looking inside
the SSL/TLS conversation.

Personally, what I've done is configure Squid to hand off CONNECT
sessions to a "parent" proxy supporting SSL inspection:
   cache_peer ssl1.intranet parent 8008 7 no-query
   cache_peer ssl2.intranet parent 8008 7 no-query
   acl CONNECT method CONNECT
   http_access deny CONNECT !SSL_ports
   cache_peer_access ssl1.intranet allow CONNECT
   cache_peer_access ssl2.intranet allow CONNECT
   cache_peer_access ssl1.intranet deny all
   cache_peer_access ssl2.intranet deny all
   never_direct allow CONNECT

Kevin
Received on Tue Jun 19 2007 - 15:13:33 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT