On 6/10/21 11:00 AM, Andreas Weigel wrote: >> I can only suggest to either fix the Squid bug/limitation or decide to >> splice during step1 (based on client SNI, etc., before Squid talks to >> the origin server). > don't know why I haven't yet had the idea, but indeed, if I force > splicing at step 1 or even 2, the site loads without error. This is not > exaclty a solution, but at least something to work with. If you tell Squid to proceed to step3, then Squid has a duty to validate the TLS server. Failure to do so should result in an error. This is what https://wiki.squid-cache.org/Features/SslPeekAndSplice promises to do during step3: i. Get TLS Server Hello info from the server, including the server certificate. ii. Validate the TLS server certificate. iii. Evaluate again all ssl_bump rules and perform the first matching action (splice, bump, or terminate) for the connection. We probably should enhance Squid to better control its reaction to 3i failures, but such adjustments may have to be guarded by some new explicit configuration because they would allow splicing connections to non-TLS servers or very insecure TLS servers (that were previously reported as errors). HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
