[squid-dev] forward bumped traffic to parent in plain form

Anthony Pankov anthony.pankov at yahoo.com
Tue Mar 10 10:51:02 UTC 2026

Previous message (by thread): [squid-dev] forward bumped traffic to parent in plain form
Next message (by thread): [squid-dev] forward bumped traffic to parent in plain form
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Monday, March 9, 2026, 3:55:40 AM, you wrote:

> Understood. This will complicate completion of your project. Going forward, I see two primary directions:

> Option A: Give up on trying to bump the client without talking to the TLS origin server first. Let Squid talk to the TLS origin server (directly or via a cache_peer) while bumping the client. We know that this part already works. Adjust Squid code to forget/close that TLS connection after the client gets bumped and forward subsequent GET requests to a cache_peer using a different plain text connection. This option is only viable if you can let your Squid talk to the TLS origin server (directly or via a cache_peer) during client bumping.

It seems to that I have to agree for the sake of going forward.
But I wander about consequences.

a) Does ACL on steps will still work?

ssl_bump stare step1
ssl_bump splice serverIsBank
ssl_bump bump all

Will this configuration work for splicing ACL serverIsBank and all other goes to peer_cache in plain form when option A is realized?

b) OK, squid will connect to origin server. Will it force applying ciphers/options from origin server to squid<->client TLS connection? Will it have no effect and client<->squid connection will strictly controlled by tls- options of http_port configuration directive?

> Option B: Assume that the TLS client does not really need any origin server info and can be bumped without talking to that server. Adjust Squid code to make that kind of bumping work, probably by modifying client-first mode. This option is only viable if its assumption is correct. I do not know whether it is correct; I do not know what exactly causes those NO_CIPHER_OVERLAP errors, for example.

I'm a bit confusing about this option. Does it mean to revive deprecated "client-first" mode?
Is it really possible when the squid experts say this mode is "old and very broken"?

Fri Sep 7 04:18:10 UTC 2018
Amos Jeffries Fri Sep 7 04:18:10 UTC 2018
Previous message (by thread): [squid-users] About SSL peek-n-splice/bump configurations
...
That is what the old and very broken "client-first" behaviour used to be. It does not produce any errors from
the proxy BUT leads directly to a huge pile of security vulnerabilities
and nasty side effects that may never be seen by you.
...

--
Best regards,
Anthony

Previous message (by thread): [squid-dev] forward bumped traffic to parent in plain form
Next message (by thread): [squid-dev] forward bumped traffic to parent in plain form
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-dev mailing list