On 4/03/20 2:02 pm, GeorgeShen wrote: >> There should not need to be anything configured though. Rejecting >> unknown root CAs is how TLS is designed to work. With splice the error >> should be produced by your UA/Browser. > > Although the client I have has the root cert of that untrusted CA from > server but getting the TLS handshaking error, it was not the client locally > rejects that. Does that change anything regarding the splice operation does > not need any configure for that operation (if it's a squid)? Splice means Squid has decided to have no part in the TLS or any of the traffic. It blindly relays the exact bytes between client and upstream server. If Squid is doing *anything* to alter those bytes it is not splicing. It is performing one of: stare, bump, terminate, or client-first. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
