On 09/19/2018 10:23 AM, Julian Perconti wrote: >> Alex: After a splice rule is applied, SslBump is over. No more rules are >> checked. No more loops are iterated. Squid simply "exits" the SslBump >> feature (and becomes a TCP tunnel). > What about the meaning of the ACL's at step1 when splice? * If the splice rule ACLs match, the splice rule is applied. In that case you can consult my statement above. * If the splice rule ACLs do not match, then the splice rule is not applied. My statement above explicitly does not cover this case -- it starts with "after a splice rule is APPLIED". > e.g.: > There only these two rules for ssl_bump statements: > > ssl_bump splice sitesAB > ssl_bump splice SitesCD > I guess that here, Squid has to do 2 loops at outer/main loop to > evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL) > and see if both match to splice. I do not know why you are guessing instead of carefully applying the already documented procedure, but you guessed wrong. At any step, the first matching rule is applied. For example, if sitesAB matches, then Squid splices without checking the second (i.e. SitesCD) rule. N.B. I removed the (misplaced) "step1" ACLs from the above example. That ACL does not affect the above discussion. > Are You (perhaps) talking about the examples in the thread and not what happens "in general"? My statements above are general except the "For example..." sentence that refers to your specific example. > In which case the "noBumpSites" ACL could have not match? I mean if I > tell a Squid: "splice at step1 this.site.net" How that matches can > fail? Roughly speaking, the server_name ACL matches at step1 when the real or fake CONNECT Host information match one of the configured server names. For example, if you are intercepting or if the real CONNECT request contains an IP address (rather than a host name), then the server_name ACL matches if the reverse DNS lookup for that IP address is successful and matches at least one of the configured server names. In other cases, the ACL does not match during step1. The reality is more complex than the above rough summary because domain name comparison is a complex algorithm. Consult the latest Squid documentation for details. Also, please do not forget that step2 matching adds checking TLS client SNI name, and step3 matching adds checking certificate Subject names. It gets really complex... For example, the Host header of a CONNECT request may not be the same as the TLS client-supplied SNI name, and/or the server certificate subject name may. These differences (and other random factors like DNS inconsistencies) may result in the server_name ACL match result changes across the steps. Modern Squids have additional server_name options that control some of the matching nuances discussed above. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
