On 1/12/21 3:33 AM, Eliezer Croitoru wrote: > The Windows 10 MS Store tries to connect the domains: > storeedgefd.dsx.mp.microsoft.com > which is bypassed from SSL BUMP with a regex and server-name. > * Squid 5.0.4 on Fedora 33. It sounds like you have tried to configure Squid to splice traffic matching some criteria. So does Squid actually splice traffic matching those criteria? That is the first question I would ask myself when trying to triage this problem. Assuming you can create test traffic, there are many ways to answer that question, including: 1. Checking whether Squid signs Squid-to-client traffic with its own certificate. 2. After skipping any CONNECT exchanges, comparing to-Squid TCP payload with from-Squid TCP payload. If the answer to the question is "yes", then that payload should be identical, in both client-server and server-client directions. 3. Sharing Squid debugging logs containing an isolated test transaction. Testing with other proxies and speculating about the magical possibility of client detection of TLS splicing is a waste of time _if_ your Squid configuration is incorrect (i.e. if Squid correctly follows its configuration, but that configuration contradicts your goals). Thus, I recommend starting by validating that splicing is happening, as discussed above. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
