Thanks for the input. Peeking less and splicing sooner appears to resolve the issue I was having. Since SNI is available at step 2 after peeking at step 1, I there was no lose in functionality. So my ssl_bump config ends up looking like below:
ssl_bump peek step1
ssl_bump splice step2 allowed_https_sites
ssl_bump splice step2 allowed_https_ips
ssl_bump terminate step2 all
Thanks again!
On Wed, Jan 3, 2018 at 5:47 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 04/01/18 12:37, Alex Rousskov wrote:
On 01/03/2018 03:30 PM, brianbergstrom wrote:
If I understand the docs and this thread correctly, Squid should be removing
h2 from the ALPN in the Client Hello since Squid does not support it.
Please note that Squid cannot remove something when using "peek" and
"splice" actions.
I do not know whether Squid removes unsupported ALPN values when using
"stare" and "bump" actions, and I would not be surprised to learn that
Squid does not police those values at all (yet),
It does *unless* peeking at the server handshake: <https://github.com/squid-cache/squid/blob/v3.5/src/ssl/bio. >.cc#L1261
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Brian Bergstrom
SOFTWARE ENGINEER
SportsEngine | 807 Broadway St NE | Suite 300 | Minneapolis, MN 55413
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users