<div dir="auto">Hi Alex,<div dir="auto"><br></div><div dir="auto">If I use below squid configuration:</div><div dir="auto"><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px"> ssl_bump peek step1</span><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px"> ssl_bump splice all</span><br></div><div dir="auto"><span style="font-family:sans-serif;font-size:12.8px"><br></span></div><div dir="auto"><span style="font-family:sans-serif;font-size:12.8px">I would see fake connect request in step 2 as well. I did not check squid version 4 but squid version 3 will send second fake connect in ecap adapter only if we splice step 2 which will be true in above configuration.</span></div><div dir="auto"><span style="font-family:sans-serif;font-size:12.8px">But I don't want to splice step 2, well not always. I want my ecap adapter to get fake connect in all cases in step 2 so that I can then make a decision on step 2 whether to splice or bump in step 2.</span></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px">In other words at the end of step 1 squid could make a call to adaptation acl (it does not currently) which will help to make decisions based on sni (if available).</span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px"><br></span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px">As per my understanding squid makes call to adaptation acl in following cases:</span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px">Step 1 - At start of connection but here only ip is available. </span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px">Step 2 - only when splicing </span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px">I did not check any further from here because then mostly its too late to bump anyway.</span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px"><br></span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px">I am happy to send following to another group if you can suggest:</span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px">I made a manual code change for acl adaptation at the end of step 1 and I was able to send fake connect with sni to ecap. I wanted to understand from experts if these changes are incorrect and may causes issues in some cases I don't know about? </span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px"><br></span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px">Thanks, </span></font></div><div dir="auto"><font face="sans-serif"><span style="font-size:12.8px">Jatin</span></font></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu., 24 Oct. 2019, 07:55 Alex Rousskov, <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 10/23/19 3:37 PM, Jatin Bhasin wrote:<br>
<br>
> This question is related to ssl decryption and ecap adaptation call. <br>
> When the ssl connection starts then before it even extracts sni squid sends <br>
> fakeConnect which comes to ecap as well.<br>
<br>
Yes, this happens during SslBump step1 as described at<br>
<a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice" rel="noreferrer noreferrer" target="_blank">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br>
<br>
<br>
> I am using peek in step 1 and after fakeConnect squid extracts the sni,<br>
> but at this point squid does not make another call to ecap.<br>
<br>
According to the above wiki page (and my understanding of how SslBump<br>
should work), Squid should make another adaptation pass during step2.<br>
You may want to make sure that your Squid does not discover some error<br>
_before_ it can start doing eCAP during step2.<br>
<br>
If your eCAP service does not see the second CONNECT (during step2), I<br>
suggest using the latest Squid v4 with the following "minimal" SslBump<br>
configuration:<br>
<br>
ssl_bump peek step1<br>
ssl_bump splice all<br>
<br>
Does the above work without problems when eCAP is turned off?<br>
<br>
Does the above deliver the second CONNECT to eCAP when it is enabled?<br>
<br>
<br>
> This function in squid is startPeekAndSpliceDone in file<br>
> client_side.cc<br>
<br>
<br>
We should not be discussing code details on squid-users, but the latest<br>
Squid v4 does not have that function AFAICT:<br>
<br>
> $ git grep startPeekAndSpliceDone SQUID_4_8 | wc -l<br>
> 0<br>
<br>
<br>
Alex.<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>