Just To mention that once Squid is not splicing the connection it would have full control in the URL level. I do not know the scenario but I have yet to have seen a similar case and it's probably because I am bumping almost all connections. Eliezer ---- Eliezer Croitoru NgTech, Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries Sent: Tuesday, February 22, 2022 16:32 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Splice certain SNIs which served by the same IP On 23/02/22 01:05, Ben Goz wrote: > By the help of God. > > If I'm using the self signed certificate that I created for the ssl > bump, then the browser considers it as the same certificate for any > domain I'm connecting to? > Key thing to remember is that TLS server certificate validates the *server*, not the URL domain name. HTTP/2 brings the feature of alternate server names. So once connected and talking, a server can tell the client a bunch of other domains that can be fetched from it. Since you are using SSL-Bump "splice" to setup the connection Squid has no control or interaction over what the server and client tell each other within that connection. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
