[squid-users] SSL Peek-n-Splice and exclusions by SNI

Nathan Hoad nathan at getoffmalawn.com
Mon Mar 9 04:52:31 UTC 2015

Hi folks,

I'm playing with 3.5.2 and Peek-n-Splice, I was wondering if it's
actually possible to exclude requests based on the SNI host and have
Squid still bump correcty. I've been trying with this configuration,
using a simple external acl:

https_port 60443 intercept ssl-bump cert=/path/to/inspectcert.pem
key=/path/to/inspectkey.pem generate-host-certificates=on
external_acl_type sni ttl=30 concurrency=60 children-max=3
children-startup=1 %ssl::>sni /usr/libexec/bumphelper

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl sslbump_exclusions external sni

ssl_bump peek step1 all
ssl_bump splice step2 sslbump_exclusions
ssl_bump bump all

Where bumphelper is a very simple Python script:

while True:
    req = sys.stdin.readline()

    if not req:

    id, sni = req.split()

    sys.stderr.write('request %r\n' % req)

    if sni == 'google.com':  # bypass
        sys.stdout.write('{} OK\n'.format(id))
        sys.stdout.write('{} ERR\n'.format(id))

The result I'm seeing is that requesting "https://youtube.com" gets
inspected as it should, but "https://google.com" results in a
handshake error, when it should have been bypassed, like so:

[~]# openssl s_client -connect google.com:443 -servername google.com
140086124283808:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 268 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

So what am I missing? It's very hard to find documentation about this,
so I might put this up on the wiki as an example once it's sorted.



More information about the squid-users mailing list