On 06/19/2017 06:16 AM, Amish wrote: > I was referring to: > http://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions > > Based on explanation I wonder if peek and stare are exactly same at step 1? Both look at the same Client Hello bytes but have at least one different side effect: * If you use "peek" during step 1 and Squid cannot decide what you want to do during step 2, then Squid should splice. * If you use "stare" during step 1 and Squid cannot decide what you want to do during step 2, then Squid should bump. IIRC, there were implementation bugs in the above algorithm but they may have been fixed since then. As a rule of thumb, always tell Squid what to do by making sure that at least one applicable ssl_bump rule matches, regardless of the step. > If yes, which one should I use at step 1? peek or stare? * If you intend to splice, use peek. * If you intend to bump, use stare. * If you are not yet sure, it is a gray area. Use whatever you think is best. > My 2nd question is: > > In the above link it is mentioned under "Configuration Examples" that: > "At no point during ssl_bump processing will dstdomain ACL work. That > ACL relies on HTTP message details that are not yet decrypted" Hm.. AFAICT, that comment is misleading: dstdomain (and dstdomain_regex) "work" as expected in some SslBump cases, sometimes even during step1. However, you should use server_name if possible instead because server_name should work as expected in all SslBump cases. And the latest Squids (v5 r15189) can be used to fine-tune server_name behavior to match based on SNI, server certificate, and other critically important cases. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
