On 15/06/15 11:58, Amos Jeffries wrote: > Ensure that you are using the very latest Squid version to avoid > problems with unsupported TLS mechanisms. The latest Squid will also > automatically splice if its determined that the TLS connection cannot be > bumped. Is that supposed to be in 3.5.5? I just noticed a problem with bumping that came down to the web server requiring client cert validation and squid-3.5.5 failed to splice - so it failed going through bump (as you'd expect). I guess I'm asking if this new "SSL determination" includes detecting client certs, because that would be a good one to detect if possible? Now that I think of it, that might be a mugs game. The site I'm referring to had a "SSLVerifyClient optional" on a subdirectory - so it's probably quite unfair to expect a TLS Intercept to "magically" know what encrypted urls it can fiddle with and what ones it can't ;-) Hmmm, OTOH maybe if squid decides a server is asking for even optional client certs, that it declares the entire SNI to be splice instead of bump - frankly I'd live with that (ie it might start out bumping, but then flick to splice on the first bit of evidence that some part needed client certs - even optional) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
