On 08/11/17 17:15, senor wrote:
I am surprised that I didn't find this question asked and answered recently. Maybe this issue is newer than I realize. I understand that support of HTTPS/2 is in development but I'd like to better understand what is and is not currently supported. I discovered the other day that an intercepted client https connection, which included both h2 and http/1.1 in the ALPN extension, was tunneled when the server responded with only h2. I'm assuming that was due to squid not fully supporting HTTP/2.
Hmm. If you are using SSL-Bump to bump the traffic the current Squid should be delivering an ALPN containing only HTTP/1.1 to the server. Sending h2 in the ALPN is only valid if the proxy supports h2 natively or intends up front to splice the transaction back to "tunneled".
My initial need is to prevent the tunnel. Preferably by forcing http/1.1 and bumping but just denying the connection is second best. I'm not aware of any squid built-in mechanisms to manage ALPN or HTTP/2 so I'm thinking the external_acl is the only way to go. I think the client ALPN data is available at bump step 2 but what options do I have at that point? Help or corrections to my assumptions are appreciated.
Any info about your Squid version, and squid.conf contents - especially http_access and SSL-Bump related things would be useful. Random guesses about complex things like TLS are harmful to solving actual problems.
Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
