[squid-users] Squid SNI at Step 2

Jatin Bhasin jbhasin83 at gmail.com
Mon Oct 26 19:18:30 UTC 2015


Hi Alex,

Thanks. I understand this. I want a mechanism by which squid can send
the FAKE connect SNI as HOST request to ecap adapter so that I can
decide whether to bump this connection or not. So do you think this
will not be possible in current release of squid ?

Squid does not generate SNI FAKE CONNECT until we splice at step 2. Do
you know that why squid does not generate FAKE CONNECT request for
bump and peek actions at step2 ?


Thanks,
Jatin



On Tue, Oct 27, 2015 at 4:20 AM, Alex Rousskov
<rousskov at measurement-factory.com> wrote:
> On 10/26/2015 06:34 AM, Jatin Bhasin wrote:
>
>> I am running squid 3.5.10 for bumping transparent SSL connections To
>> achieve this I am using following squid configuration for SSL Bumping.
>>
>> ssl_bump peek step1 all
>> ssl_bump peek step2 nobumpSites
>> ssl_bump bump step3 nobumpSites
>> ssl_bump bump all
>
>
> In the latest Squids, the above config probably does not do what you
> want. For nobumpSites, your config is equivalent to:
>
>   ssl_bump peek step1
>   ssl_bump peek step2
>   ssl_bump bump step3
>
> which does not work in most cases -- you cannot bump after peeking at step2.
>
> For all other sites, you config is equivalent to:
>
>   ssl_bump peek step1
>   ssl_bump bump step2
>
> which works.
>
>
> If you want to bump everything, then this should work:
>
>   ssl_bump stare all
>   ssl_bump bump all
>
> If you want to bump everything other than nobumpSites (which needs SNI),
> then start with something like this:
>
>   ssl_bump peek step1
>   ssl_bump splice nobumpSites
>   ssl_bump bump all
>
>
> HTH,
>
> Alex.
>


More information about the squid-users mailing list