[squid-users] ALPN, HTTP/2 and sslbump

Brian Bergstrom brian.bergstrom at sportsengine.com
Tue Jan 9 14:58:03 UTC 2018

Thanks for the input.  Peeking less and splicing sooner appears to resolve
the issue I was having.  Since SNI is available at step 2 after peeking at
step 1, I there was no lose in functionality.  So my ssl_bump config ends
up looking like below:

ssl_bump peek step1
ssl_bump splice step2 allowed_https_sites
ssl_bump splice step2 allowed_https_ips
ssl_bump terminate step2 all

Thanks again!

On Wed, Jan 3, 2018 at 5:47 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 04/01/18 12:37, Alex Rousskov wrote:
>> On 01/03/2018 03:30 PM, brianbergstrom wrote:
>> If I understand the docs and this thread correctly, Squid should be
>>> removing
>>> h2 from the ALPN in the Client Hello since Squid does not support it.
>> Please note that Squid cannot remove something when using "peek" and
>> "splice" actions.
>> I do not know whether Squid removes unsupported ALPN values when using
>> "stare" and "bump" actions, and I would not be surprised to learn that
>> Squid does not police those values at all (yet),
> It does *unless* peeking at the server handshake: <
> https://github.com/squid-cache/squid/blob/v3.5/src/ssl/bio.cc#L1261>.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

*Brian Bergstrom*

SportsEngine | 807 Broadway St NE | Suite 300 | Minneapolis, MN 55413
SportsEngine.com <http://sportsengine.com> | twitter.com/NBCSportsEngine |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180109/f6d4e288/attachment.html>

More information about the squid-users mailing list