[squid-users] Some questions about ssl_bump.

Alex Rousskov rousskov at measurement-factory.com
Tue Nov 17 22:15:11 UTC 2015

On 11/17/2015 02:25 PM, Bruce Markey wrote:

> Looking at the squid docs for peek and splice
> ( http://wiki.squid-cache.org/Features/SslPeekAndSplice ).  
> # Do no harm:
> # Splice indeterminate traffic.
> ssl_bump splice serverIsBank
> ssl_bump bump haveServerName
> ssl_bump peek all
> ssl_bump splice all

> So my understanding of this.  
> splice just passes through. 
> then we bump everything else ?
> then peek 
> and finally splice all?

I see very little correlation between the above configuration and your
narrative describing it. Either I am completely misinterpreting your
narrative (especially the word "then") or you need to [re]read what each
action does, which actions are final, and how ssl_bump lines are evaluated.

> Must you bump before peek? I assume so but I'm not sure.

No ssl_bump action can happen after a bump rule matches, so "bump before
X" does not make sense for any action X. Again, there appears to be some
fundamental misunderstanding here.

It is highly unlikely that one can understand how SslBump works by
reading configuration examples alone, unfortunately. If you have not
already, please do read the rest of the wiki page and


Finally, please note that the wiki example assumes that the serverIsBank
ACL mismatches when Squid does not yet know the server name. That
assumption is very important in interpreting the sample configurations
correctly. Many folks cannot write their ssl_bump rules this way because
their ACLs are not that convenient and reliable. YMMV.


> On Tue, Nov 17, 2015 at 3:33 PM, Amos Jeffries <squid3 at treenet.co.nz
> <mailto:squid3 at treenet.co.nz>> wrote:
>     On 18/11/2015 9:24 a.m., Bruce Markey wrote:
>     > Amos,
>     >
>     > I knew something wasn't right.
>     >
>     > Ok then I'm going to start there.  I had a heck of a time getting
>     > squidguard to even work due to its reliance on old berkely db packages, I'd
>     > be happy to see it go.
>     >
>     > So that being said. I'm going to lose squidguard.  Upgrade squid to 3.5.
>     >
>     > I haven't even looked at the 3.5 stuff.  How big of a config change am I
>     > looking at?  That being said, upgrade or start fresh?
>     For the ssl_bump lines yes. They operate very differently, with a bit of
>     a learning curve around the recursive/repeated ssl_bump processing.
>     The rest of the config change should be smooth if it was working well
>     with 3.3. "squid -k parse" can highlight the differences there.
>     >
>     > Thanks again. This is the first definitive answer I've gotten!.
>     >
>     Welcome.
>     Amos
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list