On 04/09/2015 07:13 AM, Amos Jeffries wrote: > So for now this patch is okay, but we/you should already be thinking > about how to auto-translate NPN from clients into ALPN to servers.
Please keep in mind that it is not possible to translate something and still splice a new SSL session (the client checksum will mismatch if we alter its handshake bytes). I am not 100% sure about resumed sessions, but I would expect them to use the same level of handshake modification protection, preventing splicing of resumed SSL connections with "translated" handshakes. Optional translation for bumped sessions sounds like a potentially useful feature, but let's wait for somebody actually needing it. For regular (no SslBump) reverse proxy connections to SSL servers, there is no _translation_ because Squid just sends whatever extensions it (i.e., OpenSSL) supports, including NPN and/or ALPN. Cheers, Alex. _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
