On Thu, Oct 20, 2016 at 5:01 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Please note that "peek and make a decision based on SNI" is not what
your configuration tells Squid to do.
This is a complex situation for most people (myself included), can you tell us how to "peek and make a decision based on SNI"?
I'm probably like the original poster in that I simply want to be able to do transparent proxy of TCP/443 so as to better log HTTPS transactions. I wouldn't even bother with the "terminate" bit - if I wanted to blacklist some HTTPS sites, I'd rather rely on the normal non-bumping ACLs, the SNI-learnt domain names - and "deny" - I don't care if a cleartext blob is sent through to a client who thinks it's TLS - it will break and that's all that matters. Anything better *requires* full MiTM which I want to avoid as I believe it has no future due to pinning.
Off to upgrade to 3.5.22 :-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
