On 09/10/2018 12:35 PM, Julian Perconti wrote: > So, in a brief the confi is: > > ssl_bump peek step1 all > ssl_bump peek step2 noBumpSites > ssl_bump stare step2 all ... which should be equivalent to an even simpler config: ssl_bump peek step1 ssl_bump peek noBumpSites ssl_bump stare all ... which, for many reasonable definitions of noBumpSites (that match during step1 if and only if they should match during step1), can be simplified even further: ssl_bump peek noBumpSites ssl_bump stare all However, please note that the three configs above implicitly rely on Squid splicing (or bumping) at step3 because of the previously matching step2 peek (or stare) action and the lack of an explicit step3 rule. Whether Squid v4.2 actually does what it should be doing, I do not know. > 1: Is this peek-n-splice ruleset insecure? Define "secure". > 2: It is correct to say that those lines are not necessary/redundant? They should be redundant, but I do not know whether Squid v4.2 implements this aspect of the specs correctly. I know that there were related implementation bugs in some Squid v3 releases. You can test and, if needed, file a bug report. > (#ssl_bump splice step3 noBumpSites/#ssl_bump bump step3 all) Please note that the meaning of your noBumpSites ACL changes from one step to another (because it gets more/different info). Thus, it is incorrect to say that ssl_bump peek step1 ssl_bump peek step2 noBumpSites ssl_bump splice step3 noBumpSites ... is always exactly equivalent to ssl_bump peek step1 ssl_bump peek step2 noBumpSites ssl_bump splice step3 all # should be optional ... When using the first configuration, it is possible that, in some specific case, noBumpSites matches during step2 but does not match during step3, and Squid proceeds to evaluating the remaining "..." rules in that specific case. Such sequence of events is not possible in the second configuration because splicing at step3 is unconditional there -- it does not rely on noBumpSites matches during step3. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
