[squid-users] 3.5.8 — SSL Bump questions

Alex Rousskov rousskov at measurement-factory.com
Tue Sep 8 19:54:22 UTC 2015


On 09/07/2015 11:36 PM, Dan Charlesworth wrote:
> First, here’s my config (shout out to James Lay):

> acl client_hello_peeked at_step SslBump2
> ssl_bump splice client_hello_peeked bump_bypass_domains
> ssl_bump bump client_hello_peeked

Just in case somebody tries to copy this:

AFAICT, in Squid v3.5.8, the above config does not make sense. Since
client_hello_peeked does not match during step1, no ssl_bump rules will
patch during step1, and so the above is equivalent to:

  ssl_bump splice !all
  ssl_bump bump !all

which, in turn, should be equivalent to:

  ssl_bump splice all

because "splice" is the default ssl_bump action unless Squid has been
"staring". That, in turn, should be nearly equivalent to not using
SslBump at all. There are some side effects related to the
always-performed SslBump step1 actions that you may observe, but I doubt
you were after those side effects.

Alex.



More information about the squid-users mailing list