On 7/06/19 11:24 pm, Srikanth Raju wrote: > > > > * The biggest reason we care about TLS termination with bump is > > because we think it might give us performance benefits along some > > critical code paths *due to connection pooling to some slow > > upstreams within squid.* > > * Does squid automatically do this or does it need some extra > config. > > I was looking at 'server_connections' config var. > > HTTPS connections cannot be pooled due to protocol ties at the transport > level between clients and servers. Once details of the TLS handshake are > delivered they are pinned together. > > Well, what I meant was, that if we use "bump" directive, it is > effectively terminating the TLS connection from client at squid. And > then squid initiates a separate TLS connection to the server. with it's > own shared secret. Those connections to the servers/backends can be > pooled. This means there's a decryption/reencryption step in between. Is > not that what happens with squid? Not to the degree needed for pooling. There are still many properties from termination status, to token binding which require a 1:1 binding between them. It could potentially be done one day. But is not present yet and TLS is in an arms race situation which makes it harder all the time to even do SSL-Bump transparently. It is really only possible for CDN operators to do pooling to their origin servers. That is because they / reverse-proxies do not have to use SSL-Bump at all. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users