[squid-users] Squid modification to only read client SNI without bumping.

Alex Rousskov rousskov at measurement-factory.com
Tue Jun 8 14:22:03 UTC 2021


On 6/8/21 7:36 AM, squid3 at treenet.co.nz wrote:

> The way I think to approach it though is to start with the
> configuration parser.

That starting point does not compute for me. We do need to agree on how
to configure this feature, but parsing any resulting Squid configuration
ought to be very straightforward. Perhaps you have meant "TLS
ClientHello parser", but Squid already has that.


> A simple peek-splice/terminate TLS traffic flow
> should not need certificates setup by admin.

Squid already does not generate/use certificates for splicing or
terminating connections. In splice-or-terminate use cases, the
certificates come into play only when delivery _errors_. A feature to
prevent bumping for error delivery (and remove any configuration
requirements for CA certificate) should be welcomed IMO.

Please drop squid-users if responding to this email.

Alex.


More information about the squid-users mailing list