[squid-users] ALPN, HTTP/2 and sslbump

[senor]

I am surprised that I didn't find this question asked and answered 
recently. Maybe this issue is newer than I realize.

I understand that support of HTTPS/2 is in development but I'd like to 
better understand what is and is not currently supported. I discovered 
the other day that an intercepted client https connection, which 
included both h2 and http/1.1 in the ALPN extension, was tunneled when 
the server responded with only h2. I'm assuming that was due to squid 
not fully supporting HTTP/2.

My initial need is to prevent the tunnel. Preferably by forcing http/1.1 
and bumping but just denying the connection is second best. I'm not 
aware of any squid built-in mechanisms to manage ALPN or HTTP/2 so I'm 
thinking the external_acl is the only way to go. I think the client ALPN 
data is available at bump step 2 but what options do I have at that point?

Help or corrections to my assumptions are appreciated.

Senor