I reply to myself due to a bounce and I have to re-enable the membership to list at least 3 times at month. Maybe a problem with Yahoo. >>> Alex: After a splice rule is applied, SslBump is over. No more rules are >>> checked. No more loops are iterated. Squid simply "exits" the SslBump >>> feature (and becomes a TCP tunnel). OK, that is what makes me a noise, and therefore I asked about what you said. >> What about the meaning of the ACL's at step1 when splice? > >* If the splice rule ACLs match, the splice rule is applied. In that >case you can consult my statement above. > >* If the splice rule ACLs do not match, then the splice rule is not >applied. My statement above explicitly does not cover this case -- it >starts with "after a splice rule is APPLIED". > > >> e.g.: >> There only these two rules for ssl_bump statements: >> >> ssl_bump splice sitesAB >> ssl_bump splice SitesCD > >> I guess that here, Squid has to do 2 loops at outer/main loop to >> evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL) >> and see if both match to splice. I think that I made a mistake in above sentence. I have should said "(..) Squid has to do 2 loops at inner while he is at the main loop (at SslBump1)" >I do not know why you are guessing instead of carefully applying the >already documented procedure, but you guessed wrong. At any step, the >first matching rule is applied. For example, if sitesAB matches, then >Squid splices without checking the second (i.e. SitesCD) rule. Well, I am guessing because many things are not completely clear to me and/or easy to understand, at all. I am new in TLS filtering. For example I never would think that in the given example, the second rule (sitesCD) will not never be checked later. I asked or write that example with the inner loop in mind; I'm sorry. >> Are You (perhaps) talking about the examples in the thread and not what happens "in general"? > >My statements above are general except the "For example..." sentence >that refers to your specific example. Its good to know. >> In which case the "noBumpSites" ACL could have not match? I mean if I >> tell a Squid: "splice at step1 this.site.net" How that matches can >> fail? > >Roughly speaking, the server_name ACL matches at step1 when the real or >fake CONNECT Host information match one of the configured server names. > >For example, if you are intercepting or if the real CONNECT request >contains an IP address (rather than a host name), then the server_name >ACL matches if the reverse DNS lookup for that IP address is successful >and matches at least one of the configured server names. In other cases, >the ACL does not match during step1. > >The reality is more complex than the above rough summary because domain >name comparison is a complex algorithm. Consult the latest Squid >documentation for details. Also, please do not forget that step2 >matching adds checking TLS client SNI name, and step3 matching adds >checking certificate Subject names. It gets really complex... > >For example, the Host header of a CONNECT request may not be the same as >the TLS client-supplied SNI name, and/or the server certificate subject >name may. These differences (and other random factors like DNS >inconsistencies) may result in the server_name ACL match result changes >across the steps. > >Modern Squids have additional server_name options that control some of >the matching nuances discussed above. That's what I imagined you meant (and worried too) -without any kind of knowledge-. And now you have just confirmed it. So things become a little more delicate. And *now* I understand why you have done so much emphasis saying: "If the rule match..." >Alex. Thank You. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
