On 06/13/2016 08:55 PM, Amos Jeffries wrote: > Using an https_port with intercept or tproxy is pretty useless without > ssl-bump being enabled. So auto-enable the 'ssl-bump' option on those > ports instead of aborting with an error about ssl-bump being needed. > > The result of this should be that the intercepted traffic gets received > by either the 'unknown protocol' pass-thru settings or the admins other > ssl-bump related settings enacted.
Enabling ssl-bump implicitly is not a good idea IMO. Bumping is a dangerous/complex feature with many side effects. If an admin really wants Squid to apply [all] ssl_bump directives to a port, they should add ssl-bump flag to that port explicitly IMO. Implicitly enabling bumping for some ports is likely to increase confusion while providing no advantages (that I can see) other than making https_port lines a tiny bit shorter and downgrades more difficult. If we really want to support intercepting https_port without an ssl-bump flag, then we should change Squid to blindly tunnel such port traffic, without applying any ssl_bump rules. That behavior would be consistent with default CONNECT handling (and somewhat useful for logging and similar reasons). HTH, Alex. _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
