On 08/19/2015 04:09 AM, Jason Haar wrote: > So is there no way to get the SNI field from the client without breaking > the opportunity for bump? SNI is obtained during step #1. Peeking during step #1 does _not_ preclude future bumping. If you want to get SNI and bump, then peek at step #1 and bump at the next step (i.e., step #2): acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump !bank Please note that doing so will give you no knowledge about the SSL server point of view. All your decisions will be based on what the client has told you. This is often not a problem because, in most cases, if the client lied, the [bumped or spliced] connection to the SSL server will not work anyway. However, if the client supplied no SNI information, then your "bank" ACL (or equivalent) may not have enough information to go on, especially for intercepted connections. If you also peek at step #2, you will know the server certificate, but you will no longer be able to bump the connection in most cases. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
