On 28/10/2015 9:11 a.m., Jatin Bhasin wrote: > Hi Amos, > > My client is sending sni. I have checked this. Squid only generates SNI > fake connect at step2 if sslbump action is splice. For all other ssl bump > actions it does not generate fake connect with sni. > Is this a bug or limitation in squid? Do you plan in future to change it? Its bot a bug exactly. I'm not sure at this point what we will do about it. Alex adn Christos are apparently doing a bit of redesign of the process and I'm not sure how that is going or planned to be yet. Conceptually the fake CONNECT represents the server authority named in the protocol prior to TLS handshake beginning. Which is TCP and thus the server-IP from the TCP SYN packet. That has already been accepted though the http_access permissions in its raw-IP form. Personally I am leaning more and more towards having Squid simply do the step-1 peek in all traffic. So access controls and permissions start at step 2 with SNI going through the http_access rules in the fake CONNECT. But that would possibly have issues where people want or be required to terminate or splice without peek happening first. From a security standpoint it should not matter, but we sill have to verify that. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
