-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 20/12/2014 7:27 a.m., Tsantilas Christos wrote:
Okay. "transparent" is good there. A) Consider that CONNECT is always attempted being bumped, but non-TLS protocols exist within CONNECT. Also non-TLS protocols over port 443. Also SSL v1 / v2 / v3 over port 443 when the library used by Squid has all support and knowledge of those protocols removed. According to at least one user report Skype uses a TLS look-alike clientHello and something strange as serverHello. So we may not be able to rely on clientHello to indicate TLS. I dont know for certain the accuracy of that, you may have observed it or know differently. B) Remember that TLS is about *security*. In security decision making you validate strictly and if it fails to pass you abort (fail closed) quickly with nothing or a code containing as few details as necessary to be clear something is wrong. In the (A) vs (B) cases above the errors are all internal to TLS. No need to get HTTP involved if we can avoid it. If there is a TLS alert code to signal malformed traffic, use it, otherwise just abort. Possibly a fast ACL is appropriate: ssl_bump_error allow/deny [acls...] Which is run to make the above decision. ONLY in the event that TLS protocol syntax errors or malformations. Not for cert/cipher/option issues such as bad combinations of valid things, or insecure settings. Default action on this *_error directive should be "deny all". Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUlISSAAoJELJo5wb/XPRjmfEIALgYe7YaYQw2pw/EdgSfpjaX kMEoxEijZQn88+ljTAKOGSJLL8mAdEQufyhgT3qUkWwV7+wcBDp+TfbR4c1Pl+XV sUBBSIdQ1i7sNLMVE9AVAkK+4DL+O+ifSZdBPRRs8lgobF9xfcTmYzTn5PSh4kIV yfs+tu4vwPe0JOJ1+31TS67uGti+fGDufkEx68LAImLONqH5FwkgZO+vt3X4q97t dDq1+rrv2LJBj7eWSBDhlI96zGMeEY/H5z2osyTcoxT98RD/g2aohPpJ4LuBUg2E bujb3FhwU72U3mgheDTIWn1iig/GBr4CSwXAxvZoCSJS/oMPl5/hAJcWHsYePEU= =Vg/W -----END PGP SIGNATURE----- _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev