On 14/04/18 20:51, MK2018 wrote: > Amos Jeffries wrote >> FYI this is "server-first all". peek and splice before "bump all" is >> similar but also different in ways that allow it to handle more problems >> in better ways. > > I never really got to understand how to implement peek and splice verbs. I > was glad I could get away with server-first! > > Any chance someone, or yourself, would rewrite a more detailed example of > how to use them? > Peek is to look without touching the bytes on-wire. They may be relayed as-is to make progress in the TLS sequence. So bump maybe cannot happen later, but splice always can. Stare is to look at the bytes on-wire and synthesize anything needing to be sent to server. So bump can always work later, but splice maybe cannot. Splice is to switch to opaque tunneling of the traffic immediately. Bump is to MITM the certificate exchange injecting a fake server cert for the clients use and stripping out any features Squid cannot support. The old server-first receives the TCP details from the client. Then uses that *alone* to establish a connection to the server based on TLS features supported by your Squid. Then receives and attempts to respond to the clientHello using what the serverHello contained. It requires that the client is capable of handling the same feature set as Squid, or at least the TLS features chosen by the server from the set Squid offered. The authoritative document about all this is <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>. That has had a few re-writes to clarify. Which parts (if any in the current text) are you getting confused or lost by? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
