[squid-dev] [PATCH] splicing resumed sessions
Alex Rousskov
rousskov at measurement-factory.com
Thu Apr 9 14:58:48 UTC 2015
On 04/09/2015 07:13 AM, Amos Jeffries wrote:
> So for now this patch is okay, but we/you should already be thinking
> about how to auto-translate NPN from clients into ALPN to servers.
Please keep in mind that it is not possible to translate something and
still splice a new SSL session (the client checksum will mismatch if we
alter its handshake bytes).
I am not 100% sure about resumed sessions, but I would expect them to
use the same level of handshake modification protection, preventing
splicing of resumed SSL connections with "translated" handshakes.
Optional translation for bumped sessions sounds like a potentially
useful feature, but let's wait for somebody actually needing it.
For regular (no SslBump) reverse proxy connections to SSL servers, there
is no _translation_ because Squid just sends whatever extensions it
(i.e., OpenSSL) supports, including NPN and/or ALPN.
Cheers,
Alex.
More information about the squid-dev
mailing list