On 04/26/2013 11:08 AM, alex_at_imaginers.org wrote:
>> If bumping SSL traffic without client consent or knowledge was possible,
>> SSL would be useless.
>
> that's why I dropped the ssl_bump server-first approach for now. But what about
> the SSL Peek and Splice feature?
All SslBump features past, present, and future will require client
consent or knowledge for SSL bumping to work. It is a fundamental
property of the SSL protocol, not a limitation of a particular SslBump
approach.
> Don't get me wrong I'm not interested in decrypting
> all user traffic
> but to find a better solution than using the dst ipaddress to decide if the user
> is allowed to access a site or not.
When ready, Peek and Splice will help with that in some environments.
However, you need to state clearly whether you want to bump (i.e.,
decrypt) some client traffic or not. If you do, then you have to change
the client configuration. Do you want to decrypt some traffic or do you
just want to terminate offending connections?
Please note that to even send an error message to an intercepted SSL
client, you have to bump the client SSL connection.
> I already managed to see Hellos in the logs when switching on ssl_bump
> peek-and-splice, but I fail to write an ACL filtering for the ServerName in the
> hello to decide if the traffic should be bumped or not. Allowed sites should
> simply go to the ssl_bump none option then. AND by using ssl_dump none, no
> config change is required on the client.
What about the not allowed sites?
> Currently I'm doing this with a script updated ip list, but with the common
> limitations of IP (no wildcard domains, no regex, cdn ips may not be actual, not
> even considering ipv6 and so on)
>
> However I don't know how far the peek and splice feature is, is it currently
> possible to filter for the hello messages?
The currently committed Peek and Splice code may not be able to do what
you want, but depending on what exactly you want to do, we are getting
close to a usable state.
If you do want to bump some connections, and are ready to configure
clients accordingly, then you may want to monitor branch commit messages
and try again in a week or two. Otherwise, it is likely that what you
need is either impossible (bumping without knowledge or consent) or
requires another feature on top of Peek and Splice (terminating
connections after peeking at the server certificate to learn the server
name).
HTH,
Alex.
Received on Sat Apr 27 2013 - 04:30:11 MDT
This archive was generated by hypermail 2.2.0 : Mon Apr 29 2013 - 12:00:06 MDT