[squid-users] Call for adaptation after sni peeked

Alex Rousskov rousskov at measurement-factory.com
Wed Oct 23 20:55:07 UTC 2019

On 10/23/19 3:37 PM, Jatin Bhasin wrote:

> This question is related to ssl decryption and ecap adaptation call. 
> When the ssl connection starts then before it even extracts sni squid sends 
> fakeConnect which comes to ecap as well.

Yes, this happens during SslBump step1 as described at

> I am using peek in step 1 and after fakeConnect squid extracts the sni,
> but at this point squid does not make another call to ecap.

According to the above wiki page (and my understanding of how SslBump
should work), Squid should make another adaptation pass during step2.
You may want to make sure that your Squid does not discover some error
_before_ it can start doing eCAP during step2.

If your eCAP service does not see the second CONNECT (during step2), I
suggest using the latest Squid v4 with the following "minimal" SslBump

    ssl_bump peek step1
    ssl_bump splice all

Does the above work without problems when eCAP is turned off?

Does the above deliver the second CONNECT to eCAP when it is enabled?

> This function in squid is startPeekAndSpliceDone in file
> client_side.cc

We should not be discussing code details on squid-users, but the latest
Squid v4 does not have that function AFAICT:

> $ git grep startPeekAndSpliceDone SQUID_4_8 | wc -l
> 0


More information about the squid-users mailing list