[squid-users] question about ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Thu Mar 10 04:33:21 UTC 2016


On 03/09/2016 08:38 PM, Alex Samad wrote:
>>> I am not sure how haveServerName is constructed


>> It is up to the Squid admin.


> I'm the squid admin. I am presuming maybe wrongly that this is test to
> see if squid has worked out a serverName.


Yeah. Ideally, haveServerName should match when and only when
serverIsBank will never match even if Squid keeps peeking further. And
what _that_ means, exactly, depends on serverIsBank (which is determined
by the admin to be whatever the admin needs it to be).

In a simple case, serverIsBank could be a ssl::server_name test for a
specific domain name and haveServerName could be a test for "any other
domain name". The real serverIsBank/haveServerName ACLs tend to be very
complex (containing many simple ACLs, external ACL tests, etc.).

I do not claim that it is easy or even possible to construct an ideal
haveServerName using the existing ACL building blocks, but folks usually
find ways to at least approximate it.

Alex.



More information about the squid-users mailing list