Search squid archive

Re: can't get bump to work anymore on 3.5.7?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/19/2015 04:09 AM, Jason Haar wrote:

> So is there no way to get the SNI field from the client without breaking
> the opportunity for bump?

SNI is obtained during step #1. Peeking during step #1 does _not_
preclude future bumping.

If you want to get SNI and bump, then peek at step #1 and bump at the
next step (i.e., step #2):

  acl step1 at_step SslBump1
  ssl_bump peek step1
  ssl_bump bump !bank


Please note that doing so will give you no knowledge about the SSL
server point of view. All your decisions will be based on what the
client has told you. This is often not a problem because, in most cases,
if the client lied, the [bumped or spliced] connection to the SSL server
will not work anyway. However, if the client supplied no SNI
information, then your "bank" ACL (or equivalent) may not have enough
information to go on, especially for intercepted connections.

If you also peek at step #2, you will know the server certificate, but
you will no longer be able to bump the connection in most cases.


HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux