Hello, Here is a minimal squid config that demonstrates this weird issue:
http_port 3128 ssl-bump tls-cert=/tmp/cert.pem tls-key=/tmp/key.pem acl regua browser .*Firefox.* http_access allow regua http_access deny all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl youtube dstdomain .youtube.com ssl_bump peek step1 ssl_bump splice step2 youtube ssl_bump bump step2 all With this config and using Firefox to go to https://youtube.com/, squid replies to the CONNECT with 2 different replies, causing an SSL_ERROR_RX_RECORD_TOO_LONG error in the browser: HTTP/1.1 200 Connection established HTTP/1.1 403 Forbidden After reading the wiki (https://wiki.squid-cache.org/Features/SslPeekAndSplice) I suspect this has to do with the "fake" CONNECT request, which I guess fail to pass the http_access rule. But why would squid send 2 replies? Is this a bug? Adding this line: http_access allow step2 seems to "fix" the problem, but I'm not sure if this is the right thing to do? Squid version is 4.6 on debian recompiled with ssl support. Regards, -- Gael _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
