On 10/11/2016 11:36 AM, Alex Rousskov wrote:
> On 10/11/2016 11:09 AM, - - wrote:
>> No matter what I try i can't get squid4 to splice certain sites and to
>> bump/terminate the rest. My config is as follows:
>> acl sni_exclusions ssl::server_name .google.com
>> acl sni_exclusions ssl::server_name .google.de
>> acl tcp_level at_step SslBump1
>> acl client_hello_peeked at_step SslBump2
>> ssl_bump peek tcp_level all
>> ssl_bump splice client_hello_peeked sni_exclusions
>> ssl_bump bump all
>> if I replace the ssl_bump bump all with ssl_bump terminate all, all sites are
>> terminated, if I do a ssl_bump splice all, all https traffic is going 
>> through.
> Which implies that your splice rule never matches or the match is
> ignored for some reason.

AFAICT, ssl::server_name and ssl_server_name_regex are completely broken
in v4.0 as far as step1 (and equivalent) matches are concerned. Please
try the above trunk patch. It may need more work (and a v3.5
port/investigation) but it fixes the biggest/obvious problems in my tests.

Thank you,


squid-users mailing list

Reply via email to