Project

General

Profile

Actions
Copy link

Bug #6527

closed

Squid 3.5 - Deprecated "ssl_bump server-first all" don't allow SNI in transparent mode with HTTPS/SSL Interception

Added by Michael Epstein almost 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
pfSense - 2.4.0
Start date:
06/23/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:

Description

As described in the squid wiki, "ssl_bump server-first all" is deprecated in squid 3.5+

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Squid_Configuration_File

For proper SNI detection you most use for example:

acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

I test this configuration in "Custom ACLS (Before Auth)" with Squid 3.5, transparent mode on and HTTPS/SSL Interception on and everything is working great. With "ssl_bump server-first all" SNI isn't working.

Actions
Copy link
 #1

Updated by Chris Buechler almost 8 years ago

  • Target version deleted (2.3.2)
  • Affected Version changed from 2.3.2 to All
Actions
Copy link
 #2

Updated by Michael Epstein almost 8 years ago

Edited in order to add more information about ssl peek and splice

http://wiki.squid-cache.org/Features/SslPeekAndSplice

Actions
Copy link
 #3

Updated by Kill Bill over 7 years ago

Actions
Copy link
 #4

Updated by Renato Botelho over 7 years ago

  • Status changed from New to Feedback
  • Target version set to 2.4.0
  • % Done changed from 0 to 100

PR has been merged to 2.4.0 and 2.3.3 snapshots

Actions
Copy link
 #5

Updated by Jim Pingle over 7 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF