On 4/06/2015 2:27 a.m., sp_ wrote: > Hello Nathan, > > thank you for an example. > > What version of squid are you running? > Mine is: > > > I've tried to apply the config you've posted, but with no luck. Squid can't > get the domain: > > Well, its not a simple situation. Lets start with clarifying some of the details... SNI is a relatively new feature of TLS. There is no guarantee of a domain name actually existing in the bumped (step1) metadata. So, Squid may have to do a peek at step2 to get the server cert details before it has any clue about what domain *might* be. Also that means the %ssl::>sni helper format token depended on with the ACL helper approach will be "-" for these requests. To resolve that use the new (in squid-3.5.4) ssl::server_name ACL instead. Which checks against the CONNECT hostname (if any) at step1+, SNI domain (if any) at step2+, and server cert domain at step3. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
