Search squid archive

Re: ssl::server_name never matches during step1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/11/2016 11:36 AM, Alex Rousskov wrote:
> On 10/11/2016 11:09 AM, - - wrote:
>> No matter what I try i can't get squid4 to splice certain sites and to
>> bump/terminate the rest. My config is as follows:
>>
>> acl sni_exclusions ssl::server_name .google.com
>> acl sni_exclusions ssl::server_name .google.de
>>
>> acl tcp_level at_step SslBump1
>> acl client_hello_peeked at_step SslBump2
>> ssl_bump peek tcp_level all
>> ssl_bump splice client_hello_peeked sni_exclusions
>> ssl_bump bump all
>>
>> if I replace the ssl_bump bump all with ssl_bump terminate all, all sites are
>> terminated, if I do a ssl_bump splice all, all https traffic is going through.
> 
> Which implies that your splice rule never matches or the match is
> ignored for some reason.

AFAICT, ssl::server_name and ssl_server_name_regex are completely broken
in v4.0 as far as step1 (and equivalent) matches are concerned. Please
try the above trunk patch. It may need more work (and a v3.5
port/investigation) but it fixes the biggest/obvious problems in my tests.


Thank you,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux