<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1500556217780_7849">Hello,</div><div id="yui_3_16_0_ym19_1_1500556217780_7850"><br id="yui_3_16_0_ym19_1_1500556217780_7851"></div><div id="yui_3_16_0_ym19_1_1500556217780_7852">I'm a developer with higher level languages experience very little commercial c++ development on my hands.</div><div id="yui_3_16_0_ym19_1_1500556217780_7853"><br id="yui_3_16_0_ym19_1_1500556217780_7854"></div><div id="yui_3_16_0_ym19_1_1500556217780_7855">I've been following the SslBump feature for a while now, and this includes source code changes. SslBumping with upstream proxies was completely restricted when bug 3209 was patched in 2011, however, I believe the patch is too restrictive. I agree with Amos's statement that a plaintext information leak is highly unsafe, but the patch also prevents ssl upstream proxies usage.</div><div id="yui_3_16_0_ym19_1_1500556217780_7856"><br id="yui_3_16_0_ym19_1_1500556217780_7857"></div><div id="yui_3_16_0_ym19_1_1500556217780_7858">In order to prevent plaintext and still use upstream proxies, I propose the following changes (tested in intranet, in production) which enable upstream proxies after ssl bumping, as long as the proxies are ssl themselves:</div><div id="yui_3_16_0_ym19_1_1500556217780_7859"><br id="yui_3_16_0_ym19_1_1500556217780_7860"></div><div id="yui_3_16_0_ym19_1_1500556217780_7861">- version 4.x https://github.com/randunel/squid4/commit/c91995833370771f9903b374f17a0d774643c2b3</div><div id="yui_3_16_0_ym19_1_1500556217780_7862">- version 3.5.x https://github.com/randunel/squid3/commit/a72a47cf0d54bf17faefcfe7692182d82d6520ab</div><div id="yui_3_16_0_ym19_1_1500556217780_7863"><br id="yui_3_16_0_ym19_1_1500556217780_7864"></div><div id="yui_3_16_0_ym19_1_1500556217780_7865">Best regards,</div><div dir="ltr" id="yui_3_16_0_ym19_1_1500556217780_7866">Mihai Ene</div></div></body></html>