On 11/14/19 2:06 PM, Walter H. wrote: > #ssl_bump stare step1 all > #ssl_bump splice nobumpsites > #ssl_bump bump all > ssl_bump peek step1 > ssl_bump splice nobumpsites > ssl_bump stare all Both configurations peek at the TLS client Hello. Both configurations splice nobumpsites during step2 when nobumpsites matches during that step. Now about the differences: The first configuration bumps bumpsites (i.e. sites that did not match nobumpsites) during step2, before the server certificate details are known. It never reaches step3. The second configuration uses the implicit "bump if the action during the previous step was stare and no applicable actions matched during the current step" rule to bump bumpsites during step3, after learning the server certificate details. You can rewrite these two configurations to be more symmetrical but still have the same respective outcomes: # bump at step2 ssl_bump peek step1 ssl_bump splice nobumpsites ssl_bump bump all # bump at step3 ssl_bump peek step1 ssl_bump splice nobumpsites ssl_bump stare step2 ssl_bump bump all As you can see, the only difference is the "stare step2" rule which allows Squid to learn the server certificate details and incorporate those details into the generated fake certificate when the connections are bumped. > can someone explain the difference between these two ways - the > commented ones and the other 3 settings? If you had good reasons to think that the two configuration are the same, consider contributing Squid documentation adjustments to better explain why they are not. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
