[squid-users] Why 3.5.0.4 generates mimicked certs with server IP only when bumping?

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 9 10:57:26 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/01/2015 11:45 p.m., Yuri Voinov wrote:
> 
> I have working production 3.4.10 with working ssl bumping.
> 
> Config was the same as working 3.4.10. I've just want to take a
> look on new release.
> 
> in squid.documented said, than backward compatibility server-first
> and none options for ssl_bump are kept.
> 
> But:
> 
> Neither works with old syntax, nor new.
> 
> Looks like target https hosts not resolved and bump got only IP.

The config values are still accepted, but there is an extra bumping
stage now before the SNI is available.

You are wanting to peek at stage 1 (to get the client SNI details) and
server-first/splice at stage 2 (using the domain). Otherwise All Squid
works with when intercepting are the TCP IPs.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUr7QWAAoJELJo5wb/XPRjH3UH/RgN6NVH76gyTpHjR5sEWwJe
fXWo9LA2sxr/eNGsRLs6/6/LpETVLW7Zq5hGJ8eq6EzHs/htYfCD5nsJHFmPUsRs
Jln8LiifwCvb7aErH9oeIgjnexC2qAjuAvDZIWpntVFUPwg7R52/CyMZbLMk6czm
egQNVBjBPzbI4dYgBJwwdyUMbr8zDpDq4z0QL+4ESKt87KKpTvupUhByJ8mdv1Gw
cZgTaqG2fC5GCuJ2dajuv8iKtVR1Ij6+iFYmz9dzWu+T3CQds4uTTWkuumjlI3L9
4UOf/T8mgMks9HQZ+muGltnmVdM0M7Mc3JexB1JKK4ELUmswN1oTDEdUOiMTLTE=
=qZfl
-----END PGP SIGNATURE-----


More information about the squid-users mailing list