On 08/08/18 02:14, Ahmad, Sarfaraz wrote: > I cannot reproduce this. This is intermittent. In Chrome's dev > tools, it appeared to take over 20 secs to setup the TCP connection. > I am SSL bumping all TLS connections unless they match certain ACLs. > So it is safe to assume that the vast majority of the traffic was > bumped. > > I don't see any TLS handshake failure messages in cache.log. I think > the access.log messages I posted earlier are fake CONNECT requests > created using TCP-level info (the response time logged there is > directly proportionate to what I see in Chrome's dev tools). Guessing > that Squid would send TCP SYN-ACK only after it receives SYN-ACK from > remote/origin server. Your guess is wrong. The TCP level setup is only between Squid and the client. It has to have completed before the TLS stuff can begin. The first fake-CONNECT is done after TCP connection setup to see whether the client is allowed to perform TLS inside it - and how Squid handles that TLS. > I don’t think ICAP(reqmod) would come into the > picture yet either (assuming that even the TCP connections have not > been set up yet) so that is safe to rule out. Am I right here ? You are right about that in relation to TCP. But TCP is already over and done with by the time the fake-CONNECT gets generated. So wrong about ICAP's lack of involvement - it may (or not) be. NP: The only thing fake about the early CONNECT's is that the client did not actually generate it. They are handled in Squid same as a regular CONNECT message would be. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
