[squid-users] problem with some ssl services
Amos Jeffries
squid3 at treenet.co.nz
Thu Jun 18 02:25:59 UTC 2015
On 17/06/2015 6:52 p.m., Jason Haar wrote:
> On 15/06/15 11:58, Amos Jeffries wrote:
>> Ensure that you are using the very latest Squid version to avoid
>> problems with unsupported TLS mechanisms. The latest Squid will also
>> automatically splice if its determined that the TLS connection cannot be
>> bumped.
> Is that supposed to be in 3.5.5? I just noticed a problem with bumping
> that came down to the
> web server requiring client cert validation and squid-3.5.5 failed to
> splice - so it failed going through bump
> (as you'd expect).
>
> I guess I'm asking if this new "SSL determination" includes detecting
> client certs, because that would be a
> good one to detect if possible?
It would seem so. AFAIK we are only detecting resumed sessions and
incompatible cipher sets at present. You may want to contact Christos
about the client certs.
FYI: the "ssl_bump peek all" config I have been advising, may not always
be the best. It seems there is some use for the "stare" option during
stage2 bumping instead of peek. But Im not sure yet myself on when its
best to do that over peek. You might awant to try it.
Amos
More information about the squid-users
mailing list