On 26/06/18 17:42, Ahmad, Sarfaraz wrote: > I realize that unlike other proprietary MITM appliances, Squid doesn't fiddle with the original client hello. That is not strictly true. It depends on what you have configured Squid to do. Squid does adjust the TLS extensions to only allow features that are supported (ie ALPN to remove HTTP/2, etc which is not yet supported by Squid). > I think this magnifies into the fact that we cannot look at the SubjectCN/SAN in the remote server certificate and then decide whether we want to splice or bump. (peeking at step 2 really restricts our options) > Is my understanding correct ? No. Peeking at the client Hello does not impact the final decision, whether you peek or stare at the server Hello is what does that. > Or is there a way to accomplish this ? If the client and proxy capabilities and OpenSSL config are identical (or nearly so) then theoretically Squid can still splice after a stare action. But whether the current SSL-Bump implementation is smart enough to detect that case I'm not sure. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users