[squid-users] ssl::server_name never matches during step1
Alex Rousskov
rousskov at measurement-factory.com
Thu Oct 13 17:13:18 UTC 2016
On 10/11/2016 11:36 AM, Alex Rousskov wrote:
> On 10/11/2016 11:09 AM, - - wrote:
>> No matter what I try i can't get squid4 to splice certain sites and to
>> bump/terminate the rest. My config is as follows:
>>
>> acl sni_exclusions ssl::server_name .google.com
>> acl sni_exclusions ssl::server_name .google.de
>>
>> acl tcp_level at_step SslBump1
>> acl client_hello_peeked at_step SslBump2
>> ssl_bump peek tcp_level all
>> ssl_bump splice client_hello_peeked sni_exclusions
>> ssl_bump bump all
>>
>> if I replace the ssl_bump bump all with ssl_bump terminate all, all sites are
>> terminated, if I do a ssl_bump splice all, all https traffic is going through.
>
> Which implies that your splice rule never matches or the match is
> ignored for some reason.
AFAICT, ssl::server_name and ssl_server_name_regex are completely broken
in v4.0 as far as step1 (and equivalent) matches are concerned. Please
try the above trunk patch. It may need more work (and a v3.5
port/investigation) but it fixes the biggest/obvious problems in my tests.
Thank you,
Alex.
More information about the squid-users
mailing list