[squid-users] Squid SNI at Step 2
Jatin Bhasin
jbhasin83 at gmail.com
Tue Oct 27 20:11:14 UTC 2015
Hi Amos,
My client is sending sni. I have checked this. Squid only generates SNI
fake connect at step2 if sslbump action is splice. For all other ssl bump
actions it does not generate fake connect with sni.
Is this a bug or limitation in squid? Do you plan in future to change it?
Thanks
Jatin
On 27 Oct 2015 1:52 am, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:
> On 27/10/2015 1:34 a.m., Jatin Bhasin wrote:
> > Hello,
> >
> > I am running squid 3.5.10 for bumping transparent SSL connections To
> > achieve this I am using following squid configuration for SSL Bumping.
> >
> > acl nobumpSites ssl::server_name "/etc/squid/allowed_SSL_sites.txt"
> > ssl_bump peek step1 all
> > ssl_bump peek step2 nobumpSites
> > ssl_bump bump step3 nobumpSites
> > ssl_bump bump all
> >
> >
> > File "/etc/squid/allowed_SSL_sites.txt" contains www.facebook.com.
> >
> > On reading documentation I understood that I should see a Fake CONNECT
> > request for Facebook.com IP address as below:
> >
> > TAG_NONE/200 0 CONNECT 17.151.224.13:443 - ORIGINAL_DST/17.151.224.13
> >
> > And at Step2 there should be a Fake CONNECT request for SNI
> > information extracted.
>
> Only if SNI is actually sent by the client. It is not guaranteed to be
> sent.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151028/9b6b4f76/attachment-0001.html>
More information about the squid-users
mailing list