Search squid archive

Re: ALPN, HTTP/2 and sslbump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the input.  Peeking less and splicing sooner appears to resolve the issue I was having.  Since SNI is available at step 2 after peeking at step 1, I there was no lose in functionality.  So my ssl_bump config ends up looking like below:

ssl_bump peek step1
ssl_bump splice step2 allowed_https_sites
ssl_bump splice step2 allowed_https_ips
ssl_bump terminate step2 all


Thanks again!

On Wed, Jan 3, 2018 at 5:47 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 04/01/18 12:37, Alex Rousskov wrote:
On 01/03/2018 03:30 PM, brianbergstrom wrote:

If I understand the docs and this thread correctly, Squid should be removing
h2 from the ALPN in the Client Hello since Squid does not support it.

Please note that Squid cannot remove something when using "peek" and
"splice" actions.

I do not know whether Squid removes unsupported ALPN values when using
"stare" and "bump" actions, and I would not be surprised to learn that
Squid does not police those values at all (yet),

It does *unless* peeking at the server handshake: <https://github.com/squid-cache/squid/blob/v3.5/src/ssl/bio.cc#L1261>.

Amos

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



--
Brian Bergstrom
SOFTWARE ENGINEER

SportsEngine | 807 Broadway St NE | Suite 300 | Minneapolis, MN 55413
SportsEngine.com | twitter.com/NBCSportsEngine | facebook.com/NBCSportsEngine
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux