Thanks Amos On Thu, 12 Aug 2021, 04:05 Amos Jeffries, <squ...@treenet.co.nz> wrote:
> On 12/08/21 4:06 am, robert k Wild wrote: > > Great thanks Amos as always > > > > So shall I leave this ssl bump lines in > > > > ssl_bump splice NoSSLIntercept > >> ssl_bump peek DiscoverSNIHost > >> ssl_bump bump all > > > > And delete this one > > > > acl step1 at_step SslBump1 > >> ssl_bump peek step1 > >> ssl_bump bump all > > > > As your right there both the same, I didn't spot that > > > > My understanding is the "no ssl intercept", squid doesn't even bother to > > inspect the packets ie man in the middle and just literally passes it > > straight to the client > > > > Is that right? > > > > Not quite. Squid still has to receive and look at something to make the > decision to splice. > > The "NoSSLIntercept" is just an ACL. Being defined as a ssl:server_name > type it looks at whatever Squid is able to find for a server name > amongst the available data (CONNECT message URI, the client IP's > reverse-DNS, any TLS details seen so far, etc. > So it depends on how many of the SSL-Bump steps have taken place so > far as to what it can match against. > > In your case it happens at step1 and maybe step2 (when the peek happened > at step1 instead). When means Squid looks at the TCP connections > client-IP, a CONNECT URI (if any) and maybe the TLS client handshake > plain-text details. > > Note this is specific to your *current* configuration. Small changes > to the order of ssl_bump lines or ACLs used can change this behaviour > dramatically. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
