[squid-dev] forward bumped traffic to parent in plain form

Anthony Pankov anthony.pankov at yahoo.com
Tue Apr 7 14:55:13 UTC 2026 

Friday, April 3, 2026, 6:47:26 PM, you wrote:

> On 2026-04-03 07:20, Anthony Pankov wrote:
>> > I've tried to call getSslContextStart() in startPeakAndSplice().
>> > But the problem is:
>> getSslContextStart() return synchronously in most cases after calling getSslContextDone().
>> > But in the case of #if USE_SSL_CRTD (my case) it return after sending request to CRTD without calling getSslContextDone().
>> getSslContextDone() will be called further in sslCrtdHandleReplyWrapper().
>> > So we are back in startPeakAndSplice() without getSslContextDone() and connections are closed.
>> > Is there a preferred way to solve this problem?

> AFAICT, in your case, startPeekAndSplice() should do nothing when the added getSslContextStart() call returns. From https://ml-archives.squid-cache.org/squid-dev/2026-March/009992.html : getSslContextStart() should eventually trigger a call to getSslContextDone() with a non-nil Security::ContextPointer that calls httpsCreate() with the transaction-specific security context (SNI, etc.).

There are conditional-branch inside getSslContextStart():
...

if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) {
        %branch A%
        ...
            Ssl::configureUnconfiguredSslContext(ctx, certProperties.signAlgorithm, *port);
 } else {
        %branch B%
...
           getSslContextDone(dynCtx);
        }

If I understand correctly branch B must be choosen for my case.

But my configuration (as discussed previously) is:
ssl_bump stare ssl_bump_step_1
ssl_bump bump all

So the condition inside getSslContextStart() is true and the branchA is choosen. The sslServerBump is always true because:
void
ConnStateData::startPeekAndSplice()
{
    // This is the Step2 of the SSL bumping
    assert(sslServerBump);
...

Do anybody have any idea about what case is behind this:
if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) {


P.S. I don't find any logic related to step3 also .

-- 
Best regards,
Anthony

More information about the squid-dev mailing list