[squid-users] cannot open site

Alex Rousskov rousskov at measurement-factory.com
Thu Nov 18 16:26:24 UTC 2021


On 11/18/21 4:44 AM, Amos Jeffries wrote:
> On 18/11/21 20:08, Majed Zouhairy wrote:
>> squid is using ssl bump

> TLS/1.3 handshakes are encrypted. It often cannot be bumped, only
> spliced. Check that traffic to this server is not attempting to
> bump/decrypt.

Just to clarify: IIRC, bugs notwithstanding, Squid basic ability to bump
connections to TLS server does not depend on the TLS version. For
example, if the decision to bump is made during step2, then Squid should
be able to bump connections to TLS v1.3 servers.

However, when dealing with TLS v1.3 servers, some SslBump configurations
may match ssl_bump rules that admins do not expect to be matched and may
result in generation of deficient fake certificates because the plain
text parts of the handshake do not contain the server certificate.

Due to the lack of server certificates in the plain text part of the
Squid-server handshake, peeking or staring at the TLS v1.3 server is a
lot less useful than peeking or staring at TLS servers that use earlier
TLS versions.


HTH,

Alex.


More information about the squid-users mailing list