Project

General

Profile

Bug #6527

Squid 3.5 - Deprecated "ssl_bump server-first all" don't allow SNI in transparent mode with HTTPS/SSL Interception

Added by Michael Epstein 10 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
Start date:
06/23/2016
Due date:
% Done:

100%

Affected version:
All
Affected Architecture:

Description

As described in the squid wiki, "ssl_bump server-first all" is deprecated in squid 3.5+

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Squid_Configuration_File

For proper SNI detection you most use for example:

acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

I test this configuration in "Custom ACLS (Before Auth)" with Squid 3.5, transparent mode on and HTTPS/SSL Interception on and everything is working great. With "ssl_bump server-first all" SNI isn't working.

History

#1 Updated by Chris Buechler 10 months ago

  • Target version deleted (2.3.2)
  • Affected version changed from 2.3.2 to All

#2 Updated by Michael Epstein 10 months ago

Edited in order to add more information about ssl peek and splice

http://wiki.squid-cache.org/Features/SslPeekAndSplice

#4 Updated by Renato Botelho 4 months ago

  • Status changed from New to Feedback
  • Target version set to 2.4.0
  • % Done changed from 0 to 100

PR has been merged to 2.4.0 and 2.3.3 snapshots

#5 Updated by Jim Pingle 3 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF