[squid-users] ssl bump and url_rewrite_program (like squidguard)

Alex Rousskov rousskov at measurement-factory.com
Sat Nov 14 01:51:08 UTC 2015


On 11/13/2015 02:16 AM, Edouard Gaulué wrote:

> I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the
> "Delayed error responses" chapter:
> "When Squid fails to negotiate a secure connection with the origin
> server and bump-ssl-server-first is enabled, Squid remembers the error
> page and serves it after establishing the secure connection with the
> client and receiving the first encrypted client request. The error is
> served securely. The same approach is used for Squid redirect messages
> configured via deny_info."
> 
> My ideas/questions:
> 1/ Is there a way to have the same with new peek and splice feature?

Yes, SslBump failures should result in delayed errors securely served to
SSL clients where possible. This essential SslBump feature is not
specific to the old server-first bumping method. If the latest Squid
does not do this, it is essentially a bug.

Alex.



More information about the squid-users mailing list