On 2026-03-04 04:57, Anthony Pankov wrote:
Tuesday, March 3, 2026, 5:02:30 PM, you wrote:
On 03.03.26 16:56, Anthony Pankov wrote:
I wander what action to choose for sslbump on step1.
A documentation (https://wiki.squid-cache.org/Features/SslPeekAndSplice) said
the same for both:
"When a stare/peek rule matches during step1, Squid proceeds to step2 where it
parses the TLS Client Hello and extracts SNI (if any)."
Alex answered my questions about peek/splice 4 years ago, here's link:
https://ml-archives.squid-cache.org/squid-users/2022-February/024589.html
As I can understand stare vs peek on step1 differentiated by default
action (bump/splice) applied later when this action is not explicitly
defined.
I'm confusing because code contain many things in terms clientFirst,
serverFirst (for example const bool clientFirstBump = ) but in
configuration its deprecated and no clue how it relate to peek/stare.
Also there is a flag sslPeek but no flag sslStare. While sslPeek
seems not related to peek/stare and mean "internal ssl-bump request
to get server cert".
Yes, SslBump code has lots of quality problems (and bugs). Hopefully,
you do not have to read or adjust it. And if you do, squid-users is not
the right place to discuss it.
In conclusion my thought is that peek/stare on step1 are the same
when every sslbump step is explicitly defined in configuration.
Those two step1 actions signal a different overall _intent_. When step2
has an explicit action, that signal is of a lesser importance, but I
would not dismiss it completely because things can go wrong between
step1 and step2. If something goes wrong, Squid may have to rely on that
intent to decide whether to bump or splice while handling the problem.
Today, Squid may not work that way, but it may start doing that in the
future as we fix and polish the corresponding code/features.
Alex.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
