[squid-users] Splice using SubjectCN/SAN from remote server certificate

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 26 07:08:12 UTC 2018

On 26/06/18 17:42, Ahmad, Sarfaraz wrote:
> I realize that unlike other proprietary MITM appliances, Squid doesn't fiddle with the original client hello.

That is not strictly true. It depends on what you have configured Squid
to do.

Squid does adjust the TLS extensions to only allow features that are
supported (ie ALPN to remove HTTP/2, etc which is not yet supported by

> I think this magnifies into the fact that we cannot look at the SubjectCN/SAN in the remote server certificate and then decide whether we want to splice or bump. (peeking at step 2 really restricts our options)
> Is my understanding correct ?

No. Peeking at the client Hello does not impact the final decision,
whether you peek or stare at the server Hello is what does that.

> Or is there a way to accomplish this ?

If the client and proxy capabilities and OpenSSL config are identical
(or nearly so) then theoretically Squid can still splice after a stare
action. But whether the current SSL-Bump implementation is smart enough
to detect that case I'm not sure.


More information about the squid-users mailing list