On 17/06/2015 6:52 p.m., Jason Haar wrote: > On 15/06/15 11:58, Amos Jeffries wrote: >> Ensure that you are using the very latest Squid version to avoid >> problems with unsupported TLS mechanisms. The latest Squid will also >> automatically splice if its determined that the TLS connection cannot be >> bumped. > Is that supposed to be in 3.5.5? I just noticed a problem with bumping > that came down to the > web server requiring client cert validation and squid-3.5.5 failed to > splice - so it failed going through bump > (as you'd expect). > > I guess I'm asking if this new "SSL determination" includes detecting > client certs, because that would be a > good one to detect if possible? It would seem so. AFAIK we are only detecting resumed sessions and incompatible cipher sets at present. You may want to contact Christos about the client certs. FYI: the "ssl_bump peek all" config I have been advising, may not always be the best. It seems there is some use for the "stare" option during stage2 bumping instead of peek. But Im not sure yet myself on when its best to do that over peek. You might awant to try it. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
