[squid-users] SSL bumping without faked server certificates

Sebastian Kirschner s.kirschner at afa-finanz.de
Tue Nov 10 14:27:27 UTC 2015


Hi Stefan,

I think it would be better to peek at step1 (Then you have the Client SNI) and at step2 you could bump or splice.
Your config 
> My assumption is that I have to use in Squid's config:
>https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key>
>acl MYSITE ssl:server_name .mydomain.com
>ssl_bump bump MYSITE
>ssl_bump splice all

A better way might be
# acl step1 at_step SslBump1
# acl MYSITE ssl:server_name .mydomain.com
#
# ssl_bump peek step1
# ssl_bump bump MYSITE
# ssl_bump splice all

Best Regards
Sebastian


More information about the squid-users mailing list