[squid-users] Explanation needed for "at_step"-ACL in ssl_bump
Tom Tom
tomtux007 at gmail.com
Mon Feb 1 11:55:12 UTC 2016
Hi list
Using Squid 3.5.11 and playing with Peek-and-splice and
SSL-Fingerprinting. I've configured the following settings:
acl SSL_BLACKLIST server_cert_fingerprint "/etc/squid/SSL_BLACKLIST"
acl DENY_SSL_BUMP ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump splice DENY_SSL_BUMP
ssl_bump stare all
ssl_bump terminate SSL_BLACKLIST
ssl_bump bump all
With this config, connections with known fingerprints are terminated
and sites, which shouldn't be bumped, are spliced.
It's working fine, but for me it's suspicious, why I don't need to
define a "at_step"-directive. Does the word "all" within the
"stare"-directive means all-steps? Or refers the "all" to the implied
ACL "all"-directive?
When replacing "ssl_bump stare all" with "ssl_bump stare step1", then
terminating the connection while catching a known ssl-fingerprint
isn't working. Why?
Thanks a lot for an explanation.
Kind regards,
Tom
More information about the squid-users
mailing list