Hi Alex, Thanks. I understand this. I want a mechanism by which squid can send the FAKE connect SNI as HOST request to ecap adapter so that I can decide whether to bump this connection or not. So do you think this will not be possible in current release of squid ? Squid does not generate SNI FAKE CONNECT until we splice at step 2. Do you know that why squid does not generate FAKE CONNECT request for bump and peek actions at step2 ? Thanks, Jatin On Tue, Oct 27, 2015 at 4:20 AM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 10/26/2015 06:34 AM, Jatin Bhasin wrote: > >> I am running squid 3.5.10 for bumping transparent SSL connections To >> achieve this I am using following squid configuration for SSL Bumping. >> >> ssl_bump peek step1 all >> ssl_bump peek step2 nobumpSites >> ssl_bump bump step3 nobumpSites >> ssl_bump bump all > > > In the latest Squids, the above config probably does not do what you > want. For nobumpSites, your config is equivalent to: > > ssl_bump peek step1 > ssl_bump peek step2 > ssl_bump bump step3 > > which does not work in most cases -- you cannot bump after peeking at step2. > > For all other sites, you config is equivalent to: > > ssl_bump peek step1 > ssl_bump bump step2 > > which works. > > > If you want to bump everything, then this should work: > > ssl_bump stare all > ssl_bump bump all > > If you want to bump everything other than nobumpSites (which needs SNI), > then start with something like this: > > ssl_bump peek step1 > ssl_bump splice nobumpSites > ssl_bump bump all > > > HTH, > > Alex. > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
