On 25/10/18 1:21 PM, Turnbull, John wrote: > I was wondering about bumping TLS 1.3 connections and if you think that > will ever be supported. > Probably. ETA indeterminate. To quote myself from the docs: "When used properly TLS cannot be bumped". What Squid does now is take advantage of shortcuts and workarounds many installations use(d) to avoid trouble or administration hassles with TLS/SSL. Bump only works at all when those shortcuts allow Squid to impose itself as MITM into the handshake sequence. TLS/1.3 does not change that situation - just the code needed to do the insertion will have to be redesigned a fair bit (already underway AFAIK). What TLS/1.3 brings to the situation differently is hiding a lot of details like SNI and server cert that were previously available up-front for the admin to selectively *avoid* bumping traffic they thought was okay. So admin will soon / now be faced with having to bump *everything* and block those relatively few parties actually using TLS "properly". The reality is that *splice* is the ability TLS/1.3 makes harder to do reliably. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
