On 26/02/2016 12:38 a.m., Cohen-Rose, Adam wrote: > We¹re trying to use SSL bump to splice traffic from a CDN (cdn.teads.tv) > > The CDN server certificate uses Subject Alternative Names in its > certificate to identify the cdn.teads.tv domain rather than the Common > Name (which is set to aka.proceau.net). > > Can we use SSL bump to splice requests to cdn.teads.tv or do we need to > use the CN domain to identify the CDN? Yes the ssl::server_name ACL type matches SubjectAltName in the server certificate during *step 3* of the ssl_bump process. You first have to peek/stare at the serverHello data to get it. > > > We¹d like to terminate other connections so our current SSL Bump config is: > > acl tcp_level at_step SslBump1 > acl client_hello_peeked at_step SslBump2 > ssl_bump peek tcp_level all NP: the " all" is meaningless. > > acl to_teads_tv_ssl ssl::server_name cdn.teads.tv > > ssl_bump splice client_hello_peeked to_teads_tv_ssl > That deals with the cases where SNI matched. But the serverHello is still not known yet, so the SubjectAtName is not known. The terminate will happen on step2 if the SNI did not match. You need to peek/stare again to move on to the cert details. > ssl_bump terminate all > Why dont you try this: # splice whenever cdn.teads.tv is identified ssl_bump splice to_teads_tv_ssl # peek at both clientHello or serverHello data acl hello at_step SslBump1 SslBump2 ssl_bump peek hello # otherwise terminate ssl_bump terminate all Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
