Hi Alex, > If bumping SSL traffic without client consent or knowledge was possible, > SSL would be useless. that's why I dropped the ssl_bump server-first approach for now. But what about the SSL Peek and Splice feature? Don't get me wrong I'm not interested in decrypting all user traffic but to find a better solution than using the dst ipaddress to decide if the user is allowed to access a site or not. I already managed to see Hellos in the logs when switching on ssl_bump peek-and-splice, but I fail to write an ACL filtering for the ServerName in the hello to decide if the traffic should be bumped or not. Allowed sites should simply go to the ssl_bump none option then. AND by using ssl_dump none, no config change is required on the client. Currently I'm doing this with a script updated ip list, but with the common limitations of IP (no wildcard domains, no regex, cdn ips may not be actual, not even considering ipv6 and so on) However I don't know how far the peek and splice feature is, is it currently possible to filter for the hello messages? greetings and have all a nice weekend, Alex
