<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<div>Using <span>squid-4.2-1.el7.x86_64</span></div>
<div><br>
</div>
I'm looking at ways to optimize Squid when using ssl_bump. We use the peek & splice approach now and it works pretty well.
<div><br>
</div>
<div><span style="font-family: Calibri, Helvetica, sans-serif, Helvetica, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"><span style="font-family: Calibri, Helvetica, sans-serif, Helvetica, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">While </span><span style="font-family: Calibri, Helvetica, sans-serif, Helvetica, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">running</span><span style="font-family: Calibri, Helvetica, sans-serif, Helvetica, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"> some
tests, I noticed that Squid always makes an outbound connection to the remote server regardless of when I terminate the connection. </span>I'm</span><span style="font-family: Calibri, Helvetica, sans-serif, Helvetica, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"> trying
to build a configuration that denies traffic immediately if the client SNI header doesn't match without making a connection to the remote host.</span></div>
<div><br>
</div>
<div>Here is a very simple configuration that should terminate all connections after step1. The connection is terminated, but by running a tcpdump at the same time, I see that Squid still makes an outbound connection.</div>
<div><br>
</div>
<div>
<div><i>acl step1 at_step SslBump1</i></div>
<div><i><span style="font-size: 12pt;">ssl_bump terminate step1</span><br>
</i></div>
<div><br>
</div>
</div>
<div>I would expect that if I terminate after step1, the connection to the remote server should never be made. Can anyone help me understand why Squid would still make the outbound connection in this instance? </div>
</div>
</body>
</html>