[squid-users] Call for adaptation after sni peeked
jbhasin83 at gmail.com
Mon Oct 28 07:25:16 UTC 2019
If I use below squid configuration:
ssl_bump peek step1
ssl_bump splice all
I would see fake connect request in step 2 as well. I did not check squid
version 4 but squid version 3 will send second fake connect in ecap adapter
only if we splice step 2 which will be true in above configuration.
But I don't want to splice step 2, well not always. I want my ecap adapter
to get fake connect in all cases in step 2 so that I can then make a
decision on step 2 whether to splice or bump in step 2.
In other words at the end of step 1 squid could make a call to adaptation
acl (it does not currently) which will help to make decisions based on sni
As per my understanding squid makes call to adaptation acl in following
Step 1 - At start of connection but here only ip is available.
Step 2 - only when splicing
I did not check any further from here because then mostly its too late to
I am happy to send following to another group if you can suggest:
I made a manual code change for acl adaptation at the end of step 1 and I
was able to send fake connect with sni to ecap. I wanted to understand from
experts if these changes are incorrect and may causes issues in some cases
I don't know about?
On Thu., 24 Oct. 2019, 07:55 Alex Rousskov, <
rousskov at measurement-factory.com> wrote:
> On 10/23/19 3:37 PM, Jatin Bhasin wrote:
> > This question is related to ssl decryption and ecap adaptation call.
> > When the ssl connection starts then before it even extracts sni squid
> > fakeConnect which comes to ecap as well.
> Yes, this happens during SslBump step1 as described at
> > I am using peek in step 1 and after fakeConnect squid extracts the sni,
> > but at this point squid does not make another call to ecap.
> According to the above wiki page (and my understanding of how SslBump
> should work), Squid should make another adaptation pass during step2.
> You may want to make sure that your Squid does not discover some error
> _before_ it can start doing eCAP during step2.
> If your eCAP service does not see the second CONNECT (during step2), I
> suggest using the latest Squid v4 with the following "minimal" SslBump
> ssl_bump peek step1
> ssl_bump splice all
> Does the above work without problems when eCAP is turned off?
> Does the above deliver the second CONNECT to eCAP when it is enabled?
> > This function in squid is startPeekAndSpliceDone in file
> > client_side.cc
> We should not be discussing code details on squid-users, but the latest
> Squid v4 does not have that function AFAICT:
> > $ git grep startPeekAndSpliceDone SQUID_4_8 | wc -l
> > 0
> squid-users mailing list
> squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users