[squid-users] Quick peek-splice clarification
James Lay
jlay at slave-tothe-box.net
Tue Jun 23 11:16:57 UTC 2015
On Tue, 2015-06-23 at 09:11 +0200, Klavs Klavsen wrote:
> Hi James,
>
> Did you ever find an answer for this?
>
> James Lay wrote on 06/11/2015 02:16 AM:
> > All,
> >
> > From the docs at:
> >
> > http://wiki.squid-cache.org/Features/SslPeekAndSplice
> >
> > *peek*
> >
> >
> > step1, step2
> >
> >
> > Receive SNI and client certificate (step1), or server certificate
> > (step2) while preserving the possibility of splicing the connection.
> > Peeking at the server certificate usually precludes future bumping of
> > the connection (see Limitations). This action is the focus of this project.
> >
> >
> > *stare*
> >
> >
> > step1, step2
> >
> >
> > Receive SNI and client certificate (step1), or server certificate
> > (step2) while preserving the possibility of bumping the connection.
> > Staring at the server certificate usually precludes future splicing of
> > the connection. Currently, we are not aware of any work being done to
> > support this action.
> >
> >
> >
> > I see a lot of:
> >
> > ssl_bump peek all
> >
> > Does this perform both step1 with SNI and client cert, AND server cert?
> > Thank you.
> >
> > James
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
Hi Klavs,
I did not. I can tell you in my testing that:
ssl_bump peek step1 all
ssl_bump peek step2 all
versus
ssl_bump peek all
Did not give me the same results, so I'm going to assume a single
statement only performs SNI lookup, but maybe someone else on the list
has a better answer.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150623/bc14087a/attachment.html>
More information about the squid-users
mailing list