<div dir="ltr"><div class="gmail_default" style="font-size:small"><div class="gmail_default">Thanks for the input.  Peeking less and splicing sooner appears to resolve the issue I was having.  Since SNI is available at step 2 after peeking at step 1, I there was no lose in functionality.  So my ssl_bump config ends up looking like below:</div><div class="gmail_default"><br></div><div class="gmail_default"><div class="gmail_default">ssl_bump peek step1</div><div class="gmail_default">ssl_bump splice step2 allowed_https_sites</div><div class="gmail_default">ssl_bump splice step2 allowed_https_ips</div><div class="gmail_default">ssl_bump terminate step2 all</div><div class="gmail_default"><br></div><div class="gmail_default"><br></div><div class="gmail_default">Thanks again!</div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 3, 2018 at 5:47 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 04/01/18 12:37, Alex Rousskov wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 01/03/2018 03:30 PM, brianbergstrom wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If I understand the docs and this thread correctly, Squid should be removing<br>
h2 from the ALPN in the Client Hello since Squid does not support it.<br>
</blockquote>
<br>
Please note that Squid cannot remove something when using "peek" and<br>
"splice" actions.<br>
<br>
I do not know whether Squid removes unsupported ALPN values when using<br>
"stare" and "bump" actions, and I would not be surprised to learn that<br>
Squid does not police those values at all (yet),<br>
</blockquote>
<br></span>
It does *unless* peeking at the server handshake: <<a href="https://github.com/squid-cache/squid/blob/v3.5/src/ssl/bio.cc#L1261" rel="noreferrer" target="_blank">https://github.com/squid-cach<wbr>e/squid/blob/v3.5/src/ssl/bio.<wbr>cc#L1261</a>>.<span class="HOEnZb"><font color="#888888"><br>
<br>
Amos</font></span><div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><b><font size="4">Brian Bergstrom</font></b><div><font size="2">SOFTWARE ENGINEER</font></div><div><font size="1"></font></div><div><font size="1"><br></font><div><font size="1">SportsEngine | 807 Broadway St NE | Suite 300 | Minneapolis, MN 55413</font></div></div><div><font size="1"><a href="http://sportsengine.com" target="_blank">SportsEngine.com</a> | <a href="http://twitter.com/NBCSportsEngine" target="_blank">twitter.com/NBCSportsEngine</a> | <a href="http://facebook.com/NBCSportsEngine" target="_blank">facebook.com/NBCSportsEngine</a></font></div></div>
</div>