[squid-dev] Bumping after peek and Splicing after stare

Christos Tsantilas christos at chtsanti.net
Fri May 20 08:20:20 UTC 2016

Hi all,

  On peek bumping mode we are sending the client hello message to the 
SSL server. The client Hello message normally includes the supported 
features by client and a shared key. This is normally makes impossible 
to bump the connection after "peek" mode.

On stare mode squid sends its hello message (with its supported features 
and its shared keys), and this is make impossible to splice the 
connection after stare mode.

However currently we are trying to hack openSSL, if it is possible (the 
same features supported by both squid and client) and fill its internal 
structures with the hello message sent by client to allow:
   - on stare mode splice the connection
   - on peek mode bump the connection.

This was possible and worked if squid and web client was build using the 
same openSSL library, or for older firefox clients (which used a limit 
number of tls extensions).

However recent changes to the source code of openSSL, break this 
feature. Moreover the openSSL source code is significant changed in its 
trunk repository. The upcoming openSSL releases will have major difference.

Looks that it will be very difficult to maintain this hack. And this is 
already make problems to squid. The stare mode may not work in some cases.

The squid code which hacks openSSL is inside adjustSSL function in bio.cc.

I am suggesting to just remove this function and the 

More information about the squid-dev mailing list