> > I already managed to see Hellos in the logs when switching on ssl_bump > > peek-and-splice, but I fail to write an ACL filtering for the ServerName in > > the > > hello to decide if the traffic should be bumped or not. Allowed sites should > > simply go to the ssl_bump none option then. AND by using ssl_dump none, no > > config change is required on the client. > > What about the not allowed sites? ok you got me ;) - they are running in the default setting which means ssl_bump server-first and get an certificate error - but as they are trying to access a site not allowed I don't really care about the error as they will be redirected anyway in my environment and it's not important if the squid sends the "wrong" certificate to the client or the redirect webserver does. > The currently committed Peek and Splice code may not be able to do what > you want, but depending on what exactly you want to do, we are getting > close to a usable state. > > If you do want to bump some connections, and are ready to configure > clients accordingly, then you may want to monitor branch commit messages > and try again in a week or two. Otherwise, it is likely that what you > need is either impossible (bumping without knowledge or consent) or > requires another feature on top of Peek and Splice (terminating > connections after peeking at the server certificate to learn the server > name). I would be fine using the current setup with ssl_bump none for allowed sites and bumping the not allowed sites with a certificate error. Changing the ACL from IP to ServerName from the hello messages would be good to get rid of the ip script to get the actual server ips. greetingx, Alex