On 11/18/21 4:44 AM, Amos Jeffries wrote: > On 18/11/21 20:08, Majed Zouhairy wrote: >> squid is using ssl bump > TLS/1.3 handshakes are encrypted. It often cannot be bumped, only > spliced. Check that traffic to this server is not attempting to > bump/decrypt. Just to clarify: IIRC, bugs notwithstanding, Squid basic ability to bump connections to TLS server does not depend on the TLS version. For example, if the decision to bump is made during step2, then Squid should be able to bump connections to TLS v1.3 servers. However, when dealing with TLS v1.3 servers, some SslBump configurations may match ssl_bump rules that admins do not expect to be matched and may result in generation of deficient fake certificates because the plain text parts of the handshake do not contain the server certificate. Due to the lack of server certificates in the plain text part of the Squid-server handshake, peeking or staring at the TLS v1.3 server is a lot less useful than peeking or staring at TLS servers that use earlier TLS versions. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
