[squid-users] SSL Bump differences at various steps

[Amos Jeffries]

On 06/03/2026 22:35, Andrey K wrote:
> Hello,
> 
> Iwaswonderingwhatare the differencesif we apply the sslbump 
> operationatdifferentsteps?
> The documentation contains information about only one difference - when 
> we bump at the step1 Proxy first establishes a TLS connection with the 
> Client, and then with the Server, while in the other cases - first with 
> the Server, and then with the Client.
> 
> I looked into this issue and tried to summarize the information I have 
> (I will not detail here the information available to the admin at each 
> of the three steps). Maybe it will help someone.
> 

Thank you.

Though, for anyone reading this in the future - be aware that Squid 
behaviour which is _not_ documented officially is subject to change 
without notice.

There are still bugs being found and removed from this feature. For 
example, see below...


> Bumping at steps 2 and 3 are very similar,butinthe firstcase, 
> ProxysendsClientHelloto a Server withitsownciphers,andinthe lattercase - 
> withciphers receivedfromthe Client.
> 
> If anyone has any comments or additions, please feel free to complete it.
> 

This looks like a bug to me. Squid should only be preserving the client 
ciphers etc when "peek" is used - in order to permit step2/3 splice.

The explicit configuration of "stare" in your tests should be enabling 
Squid to filter the ciphers it sends to make your test #2 and #3 
identical traffic.

What your test #2 is showing is what I would expect from the slightly 
weird configuration:
   ssl_bump peek step1
   ssl_bump stare step2
   ssl_bump bump step3

or just,
   ssl_bump stare step2
   ssl_bump bump step3


Cheers
Amos