Hi, I'm using Squid 3.5.27, and I want to filter some HTTPS traffic, based on the hostnames. my ssl-related config is as follows: acl step1 at_step SslBump1 acl step2 at_step SslBump2 ssl_bump peek step1 all acl global_https_dst_allow ssl::server_name "/chroot/squid/etc/squid/global_dst_whitelist" ssl_bump splice step2 global_https_dst_allow ssl_bump terminate step2 proxyclients http_access allow SSL_ports http_access allow proxyclients http_access deny all Now I see, that several SSL clients do NOT send SNI hostname in the Client Hello message, and what I got is denied access, with the following entry in the log: 1570241666.136 5 192.168.3.99 TAG_NONE/200 0 CONNECT 52.202.211.224:443 - HIER_NONE/- - - I have two questions then: 1) For such cases, is there a possibility to filter traffic based on certificate provided by the Server Hello (instead of SNI from Client Hello) in step3? 2) Is there a way, to allow (by additional ACL rule, perhaps) traffic without SNI field set? so actually I would be filtering OUT only the sessions where SNI was present, but the hostname did not match my whitelist. Best regards, Washuu K. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
