<div dir="auto">Thanks Amos</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 12 Aug 2021, 04:05 Amos Jeffries, <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 12/08/21 4:06 am, robert k Wild wrote:<br>
> Great thanks Amos as always<br>
> <br>
> So shall I leave this ssl bump lines in<br>
> <br>
> ssl_bump splice NoSSLIntercept<br>
>> ssl_bump peek DiscoverSNIHost<br>
>> ssl_bump bump all<br>
> <br>
> And delete this one<br>
> <br>
> acl step1 at_step SslBump1<br>
>> ssl_bump peek step1<br>
>> ssl_bump bump all<br>
> <br>
> As your right there both the same, I didn't spot that<br>
> <br>
> My understanding is the "no ssl intercept", squid doesn't even bother to <br>
> inspect the packets ie man in the middle and just literally passes it <br>
> straight to the client<br>
> <br>
> Is that right?<br>
> <br>
<br>
Not quite. Squid still has to receive and look at something to make the <br>
decision to splice.<br>
<br>
The "NoSSLIntercept" is just an ACL. Being defined as a ssl:server_name <br>
type it looks at whatever Squid is able to find for a server name <br>
amongst the available data (CONNECT message URI, the client IP's <br>
reverse-DNS, any TLS details seen so far, etc.<br>
So it depends on how many of the SSL-Bump steps have taken place so <br>
far as to what it can match against.<br>
<br>
In your case it happens at step1 and maybe step2 (when the peek happened <br>
at step1 instead). When means Squid looks at the TCP connections <br>
client-IP, a CONNECT URI (if any) and maybe the TLS client handshake <br>
plain-text details.<br>
<br>
Note this is specific to your *current* configuration. Small changes <br>
to the order of ssl_bump lines or ACLs used can change this behaviour <br>
dramatically.<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>