[squid-users] SSL bumping without faked server certificates
Sebastian Kirschner
s.kirschner at afa-finanz.de
Tue Nov 10 14:27:27 UTC 2015
Hi Stefan,
I think it would be better to peek at step1 (Then you have the Client SNI) and at step2 you could bump or splice.
Your config
> My assumption is that I have to use in Squid's config:
>https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key>
>acl MYSITE ssl:server_name .mydomain.com
>ssl_bump bump MYSITE
>ssl_bump splice all
A better way might be
# acl step1 at_step SslBump1
# acl MYSITE ssl:server_name .mydomain.com
#
# ssl_bump peek step1
# ssl_bump bump MYSITE
# ssl_bump splice all
Best Regards
Sebastian
More information about the squid-users
mailing list