On Mon, Jan 07, 2008, Dumpolid Exeplish wrote: > Adrian, > > How can this be possible? can you explain? * You can treat the SSL connection as just a TCP tunnel type connection. (And if you need to pass it to an upstream proxy, just wrap it in CONNECT.) * You can then do a few things, like: - without breaking the connection: - fingerprint the SSL cipher maybe? - source/destination IP addresses - destination port - destination host, if given in the CONNECT request - breaking the SSL connection (ie, terminating it and then issuing an SSL connection outbound): - well, you've got access to the whole datastream, so anything - but you have to play SSL certificate games so your users don't get hounded by their browsers about insecure certificates. Squid-3 is growing something (called "SslBump") which will introduce some of these features. I'd like to introduce similar functionality in Squid-2 once the squid-3 code is complete and debugged. Adrian