[squid-users] difference of settings doing the same as it seems
Alex Rousskov
rousskov at measurement-factory.com
Thu Nov 14 22:38:25 UTC 2019
On 11/14/19 2:06 PM, Walter H. wrote:
> #ssl_bump stare step1 all
> #ssl_bump splice nobumpsites
> #ssl_bump bump all
> ssl_bump peek step1
> ssl_bump splice nobumpsites
> ssl_bump stare all
Both configurations peek at the TLS client Hello. Both configurations
splice nobumpsites during step2 when nobumpsites matches during that
step. Now about the differences:
The first configuration bumps bumpsites (i.e. sites that did not match
nobumpsites) during step2, before the server certificate details are
known. It never reaches step3.
The second configuration uses the implicit "bump if the action during
the previous step was stare and no applicable actions matched during the
current step" rule to bump bumpsites during step3, after learning the
server certificate details.
You can rewrite these two configurations to be more symmetrical but
still have the same respective outcomes:
# bump at step2
ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump bump all
# bump at step3
ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare step2
ssl_bump bump all
As you can see, the only difference is the "stare step2" rule which
allows Squid to learn the server certificate details and incorporate
those details into the generated fake certificate when the connections
are bumped.
> can someone explain the difference between these two ways - the
> commented ones and the other 3 settings?
If you had good reasons to think that the two configuration are the
same, consider contributing Squid documentation adjustments to better
explain why they are not.
Alex.
More information about the squid-users
mailing list