[squid-users] Any problems with %ssl::>sni in 3.5.16?

Amos Jeffries squid3 at treenet.co.nz
Sun Apr 17 10:49:10 UTC 2016


On 12/04/2016 5:52 p.m., Dan Charlesworth wrote:
> We have an External ACL Type with %ssl::>sni and %URI
> 
> We get access log lines that record the %ssl::>sni just fine, but the corresponding line sent to our external ACL is missing it.
> 
> For example, from the same request;
> 
> Log: 12/Apr/2016-15:42:47    608 10.0.1.60 TAG_NONE 200 0 CONNECT 23.111.9.31:443 code.jquery.com - peek - ORIGINAL_DST/23.111.9.31 - -
> 
> Line sent to Ext. ACL: 23.111.9.31:443 -
> 
>> 
> Not sure if many people on this list use external ACLs as much, but anyone encountered this?

>From the silence it would seem not. But most likely its not a very
commonly used config setting yet.

It could be you are using the ACL just prior to the SNI being peeked at.
The ACL is pulling its value straight from the TCP connection state so
not even any temporary location involved that could be out of sync.

I dont recall there having been any significant changes to the external
ACL code since it went in. There may have been some changes that
affected it on the SSL-Bump side, but unlikely.

Amos



More information about the squid-users mailing list