[squid-users] ssl_bump updates coming in 3.5.8

James Lay jlay at slave-tothe-box.net
Fri Aug 21 12:24:33 UTC 2015 

On Fri, 2015-08-21 at 05:26 -0600, James Lay wrote:

> On Fri, 2015-08-21 at 19:28 +1200, Amos Jeffries wrote: 
> 
> > Hi all,
> > 
> >  Christos has managed (we think) to resolve a fairly major design issue
> > that has been plaguing the 3.5 series peek-and-splice feature so far.
> >  (<http://wiki.squid-cache.org/Features/SslPeekAndSplice>)
> > 
> > The problem was that Squid was not actually following the intended and
> > documented logic of skipping the impossible bumping actions. The patch
> > for that will be in 3.5 snaphots labelled r13895 or later (still waiting
> > on mirror updates as I write this 1-2hrs more maybe).
> > (<http://www.squid-cache.org/Versions/v3/3.5/>)
> > 
> > 
> > Since it is affecting the visible behaviour of squid.conf settings I
> > would like some volunteers to help test it out. Find what problems
> > remain, and let me know what to alert others to in the next formal release.
> > 
> > 
> > We need testing both from those having issues currently, and those who
> > managed to get a trial-and-error config going with older 3.5.
> > 
> > Hopefully, if you are using the at_step workarounds there should not be
> > any visible difference. But some of the at_step tests may be needless now.
> > 
> > Thank you in advance for any assistance.
> > 
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> Count me in....I'll let you know my results...my config is in this
> list...it hasn't changed.
> 
> James 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Appears to work fine here:

Squid Cache: Version 3.5.7-20150821-r13895
Service Name: squid
configure options:  '--prefix=/opt' '--with-openssl' '--enable-ssl'
'--enable-ssl-crtd' '--enable-linux-netfilter'
'--enable-follow-x-forwarded-for' '--with-large-files'
'--sysconfdir=/opt/etc/squid' '--enable-external-acl-helpers=none'


Aug 21 06:21:11 gateway (squid-1): 192.168.1.100 - -
[21/Aug/2015:06:21:11 -0600] "CONNECT 69.192.193.247:443 HTTP/1.1"
configuration.apple.com - 200 9 TCP_TUNNEL:ORIGINAL_DST peek
Aug 21 06:21:29 gateway (squid-1): 192.168.1.100 - -
[21/Aug/2015:06:21:29 -0600] "CONNECT 17.173.66.95:443 HTTP/1.1"
pd-st.itunes.apple.com - 200 532 TCP_TUNNEL:ORIGINAL_DST peek
Aug 21 06:21:30 gateway (squid-1): 192.168.1.100 - -
[21/Aug/2015:06:21:30 -0600] "CONNECT 69.192.207.154:443 HTTP/1.1"
init.itunes.apple.com - 200 31123 TCP_TUNNEL:ORIGINAL_DST peek
Aug 21 06:21:30 gateway (squid-1): 192.168.1.100 - -
[21/Aug/2015:06:21:30 -0600] "CONNECT 17.173.66.135:443 HTTP/1.1"
xp.apple.com - 200 657 TCP_TUNNEL:ORIGINAL_DST peek
Aug 21 06:21:30 gateway (squid-1): 192.168.1.100 - -
[21/Aug/2015:06:21:30 -0600] "CONNECT 17.173.66.95:443 HTTP/1.1"
pd-st.itunes.apple.com - 200 2059 TCP_TUNNEL:ORIGINAL_DST peek
Aug 21 06:21:31 gateway (squid-1): 192.168.1.100 - -
[21/Aug/2015:06:21:31 -0600] "CONNECT 17.173.66.73:443 HTTP/1.1"
partiality.itunes.apple.com - 200 679 TCP_TUNNEL:ORIGINAL_DST peek
Aug 21 06:21:32 gateway (squid-1): 192.168.1.100 - -
[21/Aug/2015:06:21:32 -0600] "CONNECT 69.192.193.29:443 HTTP/1.1"
iadsdk.apple.com - 200 409 TCP_TUNNEL:ORIGINAL_DST peek
Aug 21 06:21:32 gateway (squid-1): 192.168.1.100 - -
[21/Aug/2015:06:21:32 -0600] "CONNECT 69.192.193.29:443 HTTP/1.1"
iadsdk.apple.com - 200 409 TCP_TUNNEL:ORIGINAL_DST peek

I still see only peek instead of the final splice/bump in the
logs...hoping that gets resolved soon.  Thanks Alex.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150821/ac4084c9/attachment.html>

More information about the squid-users mailing list