On 10/28/21 12:39 PM, Steve Hill wrote: > On 28/10/2021 16:41, Alex Rousskov wrote: >> AFAICT, the primary obstacle here is that Squid pins the connection >> while obtaining the origin server certificate.
> Well, I can't see why Squid needs the origin certificate - it should be > able to make a decision off the SNI before connecting to the origin server. Squid does not "need" any of this, of course. Configuration and/or bugs force Squid to do what it does. If your decision-making process does not involve the certificate, then you should be able to rewrite the fake CONNECT request during SslBump step2, without (or before) telling Squid to stare at the certificate (and pin the resulting connection). There are bugs in this area, including bugs that may prevent certain CONNECT adaptations from happening. We are fixing one of those bugs right now. For details, you can see an unpolished/unofficial pull request at https://github.com/measurement-factory/squid/pull/108 > I didn't seem to be able to make the decision prior to the connection > being pinned though. I'm not sure why - I will go back and investigate > further. Sounds like a plan! Cheers, Alex. _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
