[squid-users] ALPN, HTTP/2 and sslbump

Alex Rousskov rousskov at measurement-factory.com
Wed Jan 3 23:37:24 UTC 2018

On 01/03/2018 03:30 PM, brianbergstrom wrote:

> If I understand the docs and this thread correctly, Squid should be removing
> h2 from the ALPN in the Client Hello since Squid does not support it.

Please note that Squid cannot remove something when using "peek" and
"splice" actions.

I do not know whether Squid removes unsupported ALPN values when using
"stare" and "bump" actions, and I would not be surprised to learn that
Squid does not police those values at all (yet), but I want to emphasize
that the combination of "removing" and "splicing" is impossible.

> ssl_bump peek step1
> ssl_bump peek step2 allowed_https_sites
> ssl_bump peek step2 allowed_https_ips
> ssl_bump splice step3 allowed_https_sites
> ssl_bump splice step3 allowed_https_ips
> ssl_bump terminate step2 all



More information about the squid-users mailing list