[squid-users] ssl_bump updates coming in 3.5.8
rousskov at measurement-factory.com
Sun Aug 23 23:33:17 UTC 2015
On 08/21/2015 01:28 AM, Amos Jeffries wrote:
> Christos has managed (we think) to resolve a fairly major design issue
> that has been plaguing the 3.5 series peek-and-splice feature so far.
Clarification: No major design issue has been resolved. The design has
not changed. We fixed the implementation to match the documented design.
I cannot come up with a specific previously-working configuration
example that our fix would break, but that does not mean such
configurations do not exist. If your ssl_bump peek or stare rule could
match at step #3, then you were in a danger zone: Our buggy code used to
incorrectly splice or bump (depending on various complex factors) when
such a match happens at step3. After the fix, such a match can never
happen: peek and stare rules are now correctly ignored during step3.
Here is an example of a configuration that was _not_ working reliably
before the fix (under certain atypical but realistic conditions such as
IE on Windows XP):
ssl_bump peek all
ssl_bump splice all
The above configuration should work as expected after the fix.
The change is not meant to resolve any assertions. However, since it
affects when/whether Squid splices or bumps, the change may affect the
asserting code as well.
Hope this clarifies,
More information about the squid-users