I have a transparent squid 4.8 proxy peek-and-splice setup acting as a TLS domain filtering proxy. The setup worked well, until more and more servers started adopting TLS 1.3. In this case, depending on the client TLS version, errors started to appear: If server, squid and client use TLS 1.3: Everything works as expected. If server and squid use TLS 1.3, but client only supports TLS 1.2: The client terminates the connection due to certificate verification errors. I have had a look at what happens at TLS protocol level using wireshark, and it seems that in the latter case, squid - for some reason - performs (something similar to) bumping instead of splicing! That is, squid sends back certificates to the client which are completely different than the ones received from the server, and appear to be generated. Any ClientKeyExchange received from the client also wouldn't be forwarded to the server. The following is the relevant part of my squid config: https_port 3443 intercept ssl-bump cert=/etc/squid/dummy.pem.crt key=/etc/squid/dummy.pem.key ssl_bump peek step1 all ssl_bump peek step2 allowed_https_connections ssl_bump terminate step2 all ssl_bump splice step3 allowed_https_connections ssl_bump terminate all where allowed_https_connections is an ACL checking ssl::server_name. How can I get the splicing setup working when mixing TLS 1.3 servers and TLS 1.2 clients? Many thanks! Nikolaus _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users