[squid-users] Squid SNI at Step 2

Alex Rousskov rousskov at measurement-factory.com
Mon Oct 26 17:20:34 UTC 2015


On 10/26/2015 06:34 AM, Jatin Bhasin wrote:

> I am running squid 3.5.10 for bumping transparent SSL connections To
> achieve this I am using following squid configuration for SSL Bumping.
> 
> ssl_bump peek step1 all
> ssl_bump peek step2 nobumpSites
> ssl_bump bump step3 nobumpSites
> ssl_bump bump all


In the latest Squids, the above config probably does not do what you
want. For nobumpSites, your config is equivalent to:

  ssl_bump peek step1
  ssl_bump peek step2
  ssl_bump bump step3

which does not work in most cases -- you cannot bump after peeking at step2.

For all other sites, you config is equivalent to:

  ssl_bump peek step1
  ssl_bump bump step2

which works.


If you want to bump everything, then this should work:

  ssl_bump stare all
  ssl_bump bump all

If you want to bump everything other than nobumpSites (which needs SNI),
then start with something like this:

  ssl_bump peek step1
  ssl_bump splice nobumpSites
  ssl_bump bump all


HTH,

Alex.



More information about the squid-users mailing list