Hi Alex,
I have now changed to *configurations suggested specifically for your use case, on this email thread* :)
acl no_ssl_interception ssl::server_name "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump stare all
ssl_bump bump all
Now, suppose, as I think in my mind, bumping isn't really what I need, can I just comment out 'ssl_bump bump all' and sit easy or should I switch to
ssl_bump splice all ??
I am sorry for my confusion...I think I have been on this way too long that my small brain has reached /etc (saturation point).
Thank you once again.
On 21 April 2016 at 21:06, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 04/21/2016 08:12 AM, Odhiambo Washington wrote:
> acl no_ssl_interception ssl::server_name ...
> ssl_bump splice no_ssl_interception
> ssl_bump stare step2
> ssl_bump splice all
You are mixing splice and stare now. There are two groups of actions:
* peek and then splice
* stare and then bump
Do not mix actions from different groups together unless you know what
you are doing.
> So basically I should just have two options, I think, no?? Like
>
> ssl_bump stare step2
> ssl_bump splice all
Two bugs in this config:
1. It will splice everything during step #1. It is equivalent to:
ssl_bump splice all
2. To quote the wiki page:
stare (step2): Receive server certificate while preserving the
possibility of bumping the connection. Staring at the server certificate
usually precludes future splicing of the connection.
squid.conf.documented has very similar text as well.
You are telling Squid to splice do exactly what the documentation tells
you is not usually possible.
I can understand that it may be difficult to find and interpret
documentation correctly. I can understand that it is difficult to
evaluate a given configuration correctly. What I cannot understand is
why you are not starting with configurations suggested specifically for
your use case, on this email thread.
> If one day, for some reason I want to bump, then I could change to:
>
> ssl_bump splice no_ssl_interception
> ssl_bump stare step2
> ssl_bump bump all
Similar to #1 above, this will bump all connections not matching the
[misnamed] no_ssl_interception during step1.
The first matching action wins. During step1, that action is "bump" from
your last rule if no_ssl_interception does not match.
HTH,
Alex.
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
