[squid-users] Quick peek-splice clarification

James Lay jlay at slave-tothe-box.net
Tue Jun 23 11:16:57 UTC 2015


On Tue, 2015-06-23 at 09:11 +0200, Klavs Klavsen wrote:

> Hi James,
> 
> Did you ever find an answer for this?
> 
> James Lay wrote on 06/11/2015 02:16 AM:
> > All,
> >
> >  From the docs at:
> >
> > http://wiki.squid-cache.org/Features/SslPeekAndSplice
> >
> > *peek*
> >
> >
> > 	step1, step2
> >
> >
> > 	Receive SNI and client certificate (step1), or server certificate
> > (step2) while preserving the possibility of splicing the connection.
> > Peeking at the server certificate usually precludes future bumping of
> > the connection (see Limitations). This action is the focus of this project.
> >
> >
> > *stare*
> >
> >
> > 	step1, step2
> >
> >
> > 	Receive SNI and client certificate (step1), or server certificate
> > (step2) while preserving the possibility of bumping the connection.
> > Staring at the server certificate usually precludes future splicing of
> > the connection. Currently, we are not aware of any work being done to
> > support this action.
> >
> >
> >
> > I see a lot of:
> >
> > ssl_bump peek all
> >
> > Does this perform both step1 with SNI and client cert, AND server cert?
> > Thank you.
> >
> > James
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> 
> 


Hi Klavs,

I did not.  I can tell you in my testing that:

ssl_bump peek step1 all
ssl_bump peek step2 all

versus

ssl_bump peek all

Did not give me the same results, so I'm going to assume a single
statement only performs SNI lookup, but maybe someone else on the list
has a better answer.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150623/bc14087a/attachment.html>


More information about the squid-users mailing list