Search squid archive

Re: difference of settings doing the same as it seems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/14/19 2:06 PM, Walter H. wrote:

> #ssl_bump stare step1 all
> #ssl_bump splice nobumpsites
> #ssl_bump bump all

> ssl_bump peek step1
> ssl_bump splice nobumpsites
> ssl_bump stare all

Both configurations peek at the TLS client Hello. Both configurations
splice nobumpsites during step2 when nobumpsites matches during that
step. Now about the differences:

The first configuration bumps bumpsites (i.e. sites that did not match
nobumpsites) during step2, before the server certificate details are
known. It never reaches step3.

The second configuration uses the implicit "bump if the action during
the previous step was stare and no applicable actions matched during the
current step" rule to bump bumpsites during step3, after learning the
server certificate details.


You can rewrite these two configurations to be more symmetrical but
still have the same respective outcomes:

  # bump at step2
  ssl_bump peek step1
  ssl_bump splice nobumpsites
  ssl_bump bump all

  # bump at step3
  ssl_bump peek step1
  ssl_bump splice nobumpsites
  ssl_bump stare step2
  ssl_bump bump all

As you can see, the only difference is the "stare step2" rule which
allows Squid to learn the server certificate details and incorporate
those details into the generated fake certificate when the connections
are bumped.


> can someone explain the difference between these two ways - the
> commented ones and the other 3 settings?

If you had good reasons to think that the two configuration are the
same, consider contributing Squid documentation adjustments to better
explain why they are not.

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux