On 16/02/2016 12:46 p.m., HackXBack wrote: > What are the requirements for ssl::server_name to work with SNI (squid > 3.5.12) ? > > In principle, I want to do this (from squid.conf): > .... > # get the public TLS metadata (includes SNI) > ssl_bump peek all > This will peek at both step 1 and 2. > # block based on SNI matching > acl blocked ssl::server_name .example.com > ssl_bump terminate blocked > This is only reached at step 3. Which means it will happen based on server cert matchign (*NOT SNI*). Also, terminate seems to require similar operations to bump, so after the step 2 peek it may not work reliably. > # tunnel (no decrypting) for everything else > ssl_bump splice all > ..... > > Few questions regarding the pre-requisites for this to work: > - It should not be necessary to install squids cert in the client, correct ? Correct. SNI has nothing to do with whether the client trusts *Squids* certificate. > - squid.conf: Anything missing in next line (cert for squid ) ? > http_port 3129 intercept ssl-bump The cert= settings are still required here, that is just to get ssl-bump operating. > - Anything else required ? > * The client is required to send SNI. * Squid peek or stare action is required to be configured at step 1 of ssl_bump processing. That is all. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
