On 2021-06-08 22:51, His Shadow wrote:
Greetings. I've been trying to make a patch for squid,
Code changes should be discussed on the squid-dev mailing list.
FWIW, we (Squid devs) have already discussed this functionality change
and I have a TODO list entry (far down sadly) of supporting your
use-case. The way I think to approach it though is to start with the
configuration parser. A simple peek-splice/terminate TLS traffic flow
should not need certificates setup by admin.
If you want to pickup that TODO item please contact squid-dev to plan
out the actual best approach with the other dev working on Squid crypto
code.
Patch submission should be done by submitting a github PR targeted at
our repository 'master' branch.
so that it
could read client hello on connect requests and set the SNI without
using ssl_bump, as that requires generating certificates and is too
complicated for my needs.
Should not be too complicated. We have test scripts available that can
generate fake cert and CA for the *_port config settings. Or snakeoil
certs can be used.
Apart from the port settings what your patch does is just this:
acl blocklist dstdomain ...
ssl_bump peek all
ssl_bump splice blocklist
ssl_bump terminate all
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
