On 4/30/20 12:10 PM, Scott wrote: >> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels >> are sent to the SslBump code. >> >> * For https_port configured with an ssl-bump flag, all traffic is sent >> to the SslBump code (by faking a corresponding HTTP CONNECT request). > These `fake' CONNECT requests I assume only contain the IP address of the > upstream server, not the hostname, as intercepted SSL connections are TCP > OPENs. Modern Squid replaces TCP-derived destination IP address with TLS SNI-derived domain name when generating the second fake CONNECT request. The second CONNECT is generated during SslBump step2, after parsing TLS client handshake. > Am I right then in saying that using ssl::server_name is useless for bumped > intercepted connections? It may be useful for ACLs checked during SslBump step2 (because it will check the TLS client SNI-derived domain name) and during step3 (when it will check TLS server certificate-derived CN and SubjectAltName). HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
