Hi, my experience with ssl_bump is that it tries to bump SSL connections whether presented to Squid explicitly or implicitly. I have a device with two pieces of software, one configured with Squid explicitly, one that requires intercept (via WCCP). So both explicit CONNECT messages arrive at squid (on 3128/TCP) and SSL (on 443/TCP). When simply configuring `ssl_bump bump host_acl' the Squid logs show Squid trying, and failing, to bump CONNECT requests. They may be failing due to certificate issue most likely, I'm not sure. I can't add to the certificate store of the software that has the proxy configured (i.e. it will not permit bumping). Is it expected that Squid will bump/splice CONNECT requests? Because not all CONNECT sessions are SSL, if the CONNECT destination does not begin a TLS handshake will Squid revert to simply creating a TCP tunnel instead of bumping? My workaround has been to simply add `!CONNECT' to the `ssl_bump host_acl' statements. Squid will happily bump the SSL sessions and proxy the CONNECT sessions. Thanks, Scott _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
