On 03/09/2016 08:00 PM, Alex Samad wrote: > from http://wiki.squid-cache.org/Features/SslPeekAndSplice > > # Better safe than sorry: > # Terminate all strange connections. > ssl_bump splice serverIsBank > ssl_bump bump haveServerName > ssl_bump peek all > ssl_bump terminate all > > I am not sure how haveServerName is constructed It is up to the Squid admin. > I read this as > 1) splice the connection if it meets ACL serverIsBank Yes. I would replace "if" with "as soon as", to be slightly more precise. > 2) bump the connection (MTM) if acl haveServerName is meet Yes. I would replace "if" with "as soon as", to be slightly more precise. > 3) try and peek the ssl connection . which I understands is start MTM There is no "try" here. Bugs/problems notwithstanding, "peek" always succeeds. Roughly speaking, this non-final action receives either SSL client or SSL server information (depending on the SslBump step) without changing any bytes on the wire. The "MTM" tern is too vague/overloaded to use in this specific context, but you can think of peeking as a "passive MitM" if it helps). Please note that the peek action can only match during the first two SslBump steps. It is ignored during the third step. > whilst keeping the ability to splice. I presume this means look at the > client cert and the server cert ? so you get more info.... But this > doesn't stop the process ? Yes, when peek ACL matches, Squid moves to the next SslBump step. > 4) terminate all that get here. again nothing stops at #3 it just > gathers more info ? Yes. To quote the same page you are citing: "All actions except peek and stare correspond to final decisions: Once an ssl_bump directive with a final action matches, no further ssl_bump evaluations will take place, regardless of the current processing step." HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
