<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 20, 2016 at 5:01 PM, Alex Rousskov <span dir="ltr"><<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div id=":3bp" class="a3s aXjCH m157e04097b11924e">Please note that "peek and make a decision based on SNI" is not what<br>
your configuration tells Squid to do. </div></blockquote></div><br>This is a complex situation for most people (myself included), can you tell us how to "peek and make a decision based on SNI"?</div><div class="gmail_extra"><br></div><div class="gmail_extra">I'm probably like the original poster in that I simply want to be able to do transparent proxy of TCP/443 so as to better log HTTPS transactions. I wouldn't even bother with the "terminate" bit - if I wanted to blacklist some HTTPS sites, I'd rather rely on the normal non-bumping ACLs, the SNI-learnt domain names - and "deny" - I don't care if a cleartext blob is sent through to a client who thinks it's TLS - it will break and that's all that matters. Anything better *requires* full MiTM which I want to avoid as I believe it has no future due to pinning.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Off to upgrade to 3.5.22 :-)<br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Cheers</div><div><br></div><div>Jason Haar</div><div>Information Security Manager, Trimble Navigation Ltd.</div><div>Phone: +1 408 481 8171</div><div>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1</div></div></div>
</div></div>