[squid-dev] [PATCH] splicing resumed sessions

Amos Jeffries squid3 at treenet.co.nz
Fri Mar 20 08:06:07 UTC 2015


On 18/03/2015 6:21 a.m., Tsantilas Christos wrote:
> This patch adds the "ssl_bump_resuming_sessions" directive that controls
> SslBump behavior when dealing with "resuming SSL/TLS sessions". Without
> these changes, SslBump usually terminates all resuming sessions with an
> error because such sessions do not include server certificates,
> preventing Squid from successfully validating the server identity.
> 

The RFC 2818 has mandatory validation of the HTTP CONNECT, client SNI
(with server ack), and server certificate dNSname values before session
resume may be performed.

I dont think we have any such validation in Squid yet. So the current
behaviour of terminate is mandatory for compliance with TLS.

Amos



More information about the squid-dev mailing list