On 08/12/2018 04:09 PM, Julian Perconti wrote: > I would like to know which of these two cfg's are "better" or "more secure" > when a site/domain is spliced, bumped, etc. It is impossible to answer that question without knowing how _you_ define "better" or "more secure". > acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump" > # ssl_bump option 1: (with this I don't see the domain in "TUNNEL" line, > just the IP addr.) > > ssl_bump peek step1 > ssl_bump peek step2 noBumpSites > ssl_bump splice step3 noBumpSites > ssl_bump stare step2 > ssl_bump bump step3 > > # ssl_bump option 2: (with this I see the domain in "TUNNEL" line.) > > ssl_bump peek step1 > ssl_bump splice noBumpSites > ssl_bump bump all > > > And (if possible) could anyone explain the differnce between these 2 cfg's ? Bugs notwithstanding, Option 1 looks at the TLS server Hello details (step2) before splicing or bumping the connections (at step3). Option 2 does not -- it splices or bumps based on TLS client Hello info only. Option 1 should give Squid/you more information about the server when splicing the two connections. For example, you can use server certificate info during step3 and when logging. Option 1 should give the client more information about the server when bumping the client -- the client will get a mimicked server certificate detail with this option. I believe the information obtained at each step is documented at https://wiki.squid-cache.org/Features/SslPeekAndSplice Please note that your ssl_bump splice step3 noBumpSites is a bit risky because your noBumpSites may match differently on each step (as it gets more reliable information). It could match at step2 but not match at step3 or vice versa, but the decision to splice (or bump) is essentially made at step2 -- if you peeked at step2, then you should be splicing or terminating at step3 (and if you stared at step2, then you should be bumping or terminating at step3). Your rules may not follow that principle if noBumpSites matching changes. > with Option 1 I don't see the domain in "TUNNEL" line, > just the IP addr.) I doubt that is how it is supposed to work. When splicing, Option 1 should have the same or more information so it should log the domain name if Option 2 has the domain name. If you are comparing log lines for identical transactions, then this could be a Squid bug. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
