On 12/01/21 11:32 pm, NgTech LTD wrote:
Im saying that my config might be wrong and I will send you a full
config save which can show you the whole setup like most vendors has.
I have upgraded squid in production.
Let me verify first before shouting "bug".
Eliezer
Okay. I see a few things to follow up on.
The other proxy logs show SNI as being
"https://storeedgefd.dsx.mp.microsoft.com:443";. SNI should be only a
name, not a full URL. So if we assume that log is correct the client is
producing invalid SNI. This may be an issue for Squid, causing it to
ignore the SNI value entirely.
The openssl tool connecting to the same IP address the other proxy
claims to be going to gets "sfdataservice.microsoft.com" as the server
name. In absence of valid SNI to work with that is the name your Squid
will be trying to match against to decide splice vs bump.
The server prefers to use TLS/1.3 unless explicitly connected to with
TLS/1.2 immediately. IIRC latest Squid force the client to TLS/1.2 when
preparing to bump, but may not for spliceand stare. So YMMV.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
