[squid-users] Squid "bumping" traffic despite using "splice" directive

Alex Rousskov rousskov at measurement-factory.com
Fri Nov 13 00:00:01 UTC 2015


On 11/12/2015 04:47 PM, Amos Jeffries wrote:
> On 13/11/2015 8:12 a.m., Alex Rousskov wrote:
>> On 11/12/2015 11:31 AM, Tom Mowbray wrote:
>>> acl sslallow ssl::server_name "/path/to/file"
>>> ssl_bump peek all
>>> ssl_bump splice sslallow
>>> ssl_bump terminate all


> I am wondering if this is all a misunderstanding of what happens when a
> peek is being done at step2 / server cert details ?
> 
> I think this ordering better matches the policy:
> 
>  ssl_bump splice sslallow
>  ssl_bump peek all
>  ssl_bump terminate all


This order will reduce the number of SSL validation errors (if any)
because splicing will often happen before step3 with this order, but it
cannot solve the actual problem IMO (only mask it and/or make it less
frequent).


On 11/12/2015 12:48 PM, Tom Mowbray wrote:
> We have squid set to "deny all" on certificate error.


Which instructs Squid to bump SSL connections that have certificate
validation or similar SSL errors (from Squid point of view).


> I don't see anything strange in the access log, just the initial CONNECT request

If there was an SSL validation error, Squid should reply with 200 OK to
the CONNECT but also log SSL validation error details (on the same
access.log line as the CONNECT transaction). Please add %err_code,
%err_detail, and %ssl::<cert_errors to your access.log format line (if
not already there) and see if they give any clues.


HTH,

Alex.



More information about the squid-users mailing list