On 06/05/2015 04:47 PM, Amos Jeffries wrote:
Along these lines, I am wondering why we need to have ssl_bump peek
checked for in relation to client peeking. Can we make Squid simply do
that first 'peek' step always for all potential HTTPS connections ?
IIRC, the reasons we did not want to peek by default included:
1. Worries about non-SSL protocols that expect the server to talk first.
If we require Squid to always peek, the transaction will get stuck. We
will need to add timeouts and such, further complicating the code and
configuration. The server-talks-first protocols are real, especially in
interception setups.
2. Worries about buggy code (ours, OpenSSL, and the combination of the
two) breaking stuff for folks that do not need to peek at all. In
retrospect, these worries were well founded -- IIRC, there were quite a
few problems with peeking at certain traffic that could be temporary
worked around by disabling peeking using ACLs.
Christos, did I forget any other reasons?
This would also give SNI and the like up front and make Squid able to
act lot more like what people in squid-users seem to be starting off
assuming it does.
True. I think we could change how Squid does this, but I doubt simply
hard-coding peeking is a good idea for the reasons mentioned above. A
more flexible/elegant solution is probably needed (which may not exist
at all or may be more complex than your PROXY-specific project wants to
deal with).
HTH,
Alex.
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
