On 06/01/15 05:28, Eliezer Croitoru wrote: > In 3.5 there will be present a new feature which called peek and > splice that can give an interface to squid and the admin which will > allow the admin to know couple things about the connection from squid > and specifically first the client TLS request. Is there an example document showing just how to do this? Looking at the current docs, I can't quite figure out how to layer them all together to achieve what I'd imagine 99% of sysadmins wanting to do ssl-bump need to do. Even squid-3.4 works very well without peek/splice - if you are using it as a formal proxy. But it all falls apart with transparent tcp 443 - as squid only has the dst IP... What I'd like to do is to use peek to grab the SSL server name the client sends so that it is available to acls (and external acl calls - and logging?) as if the client had gone "CONNECT server.name:443"? A quick sniff with wireshark shows Firefox (as an example) sends the server name as a client SNI request in the first "real" packet (ie after the 3-way), so that smells to my naive understanding as "good for a peek" - and should allow squid to do an initial chat with the client, get the SNI, then dupe with the real server, then decide if to splice or bump the rest? Clients that don't support SNI will probably have to be spliced - I don't care - I'm only interested in running AV scanners and porn filters over HTTPS requests from web browsers - the 0.1% remaining SSL traffic can slip through the cracks for all I care ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
