[squid-users] ssl_bump updates coming in 3.5.8

Alex Rousskov rousskov at measurement-factory.com
Sun Aug 23 23:33:17 UTC 2015

On 08/21/2015 01:28 AM, Amos Jeffries wrote:

> Christos has managed (we think) to resolve a fairly major design issue
> that has been plaguing the 3.5 series peek-and-splice feature so far.
> (<http://wiki.squid-cache.org/Features/SslPeekAndSplice>)

Clarification: No major design issue has been resolved. The design has
not changed. We fixed the implementation to match the documented design.

I cannot come up with a specific previously-working configuration
example that our fix would break, but that does not mean such
configurations do not exist. If your ssl_bump peek or stare rule could
match at step #3, then you were in a danger zone: Our buggy code used to
incorrectly splice or bump (depending on various complex factors) when
such a match happens at step3. After the fix, such a match can never
happen: peek and stare rules are now correctly ignored during step3.

Here is an example of a configuration that was _not_ working reliably
before the fix (under certain atypical but realistic conditions such as
IE on Windows XP):

  ssl_bump peek all
  ssl_bump splice all

The above configuration should work as expected after the fix.

The change is not meant to resolve any assertions. However, since it
affects when/whether Squid splices or bumps, the change may affect the
asserting code as well.

Hope this clarifies,


More information about the squid-users mailing list