Thanks for catching that regex error. I will change it to what you suggest.
SNI not providing the needed server info would explain the problem I guess I will just wait for any improvements to the SNI acl.On Fri, Sep 4, 2015 at 3:59 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 5/09/2015 8:37 a.m., Stanford Prescott wrote:
>> acl s1_tls_connect at_step SslBump1
>> acl s2_tls_client_hello at_step SslBump2
>> acl s3_tls_server_hello at_step SslBump3
>>
>> acl tls_server_name_is_ip ssl::server_name_regex \
>> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
>
> You have a letter 'n' on the end there is that intentional?
>
> It would seem so. I copied that from someone else's "peek-splice"
> directives that they said worked well for them. The actual regex in the
> perl script that writes squid.conf is *"print FILE "acl
> tls_server_name_is_ip ssl::server_name_regex
> ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$\n\n";*."
Thats not right. The script is broken.
The '$' in that position is an anchor on the pattern. Not a variable
perl is interpreting it as.
Not that a $ anchor would work, since the input contains a ":port" section.
A better raw-IP pattern is:
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
I think the main problem though is that the SNI support is not yet fully
polished.
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
