[squid-users] SSL Bump differences at various steps

Andrey K ankor2023 at gmail.com
Fri Mar 13 13:22:35 UTC 2026

Previous message (by thread): [squid-users] SSL Bump differences at various steps
Next message (by thread): [squid-users] SSL Bump differences at various steps
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, Amos,

Thank you for the comments.
I double-checked the results (I have squid-6.10).

The configurations:
    ssl_bump *stare *step1
    ssl_bump stare step2
    ssl_bump bump step3
and
    ssl_bump *peek *step1
    ssl_bump stare step2
    ssl_bump bump step3
produce the same result -  during TLS handshake with the Server, the Proxy
uses the cipher suite received from the original Client.

While in the case of the configuration
    ssl_bump stare step1
    ssl_bump bump step2
    ssl_bump bump step3
, the Proxy uses its own cipher suite.

It doesn't bother me at all, but I can share a debug-log if it helps improve
SQUID.
I think debug level 83,9:
debug_options ALL,1 83,9
will be enough?


Kind regards,
Ankor



вт, 10 мар. 2026 г. в 11:41, Amos Jeffries <squid3 at treenet.co.nz>:

> On 06/03/2026 22:35, Andrey K wrote:
> > Hello,
> >
> > Iwaswonderingwhatare the differencesif we apply the sslbump
> > operationatdifferentsteps?
> > The documentation contains information about only one difference - when
> > we bump at the step1 Proxy first establishes a TLS connection with the
> > Client, and then with the Server, while in the other cases - first with
> > the Server, and then with the Client.
> >
> > I looked into this issue and tried to summarize the information I have
> > (I will not detail here the information available to the admin at each
> > of the three steps). Maybe it will help someone.
> >
>
> Thank you.
>
> Though, for anyone reading this in the future - be aware that Squid
> behaviour which is _not_ documented officially is subject to change
> without notice.
>
> There are still bugs being found and removed from this feature. For
> example, see below...
>
>
> > Bumping at steps 2 and 3 are very similar,butinthe firstcase,
> > ProxysendsClientHelloto a Server withitsownciphers,andinthe lattercase -
> > withciphers receivedfromthe Client.
> >
> > If anyone has any comments or additions, please feel free to complete it.
> >
>
> This looks like a bug to me. Squid should only be preserving the client
> ciphers etc when "peek" is used - in order to permit step2/3 splice.
>
> The explicit configuration of "stare" in your tests should be enabling
> Squid to filter the ciphers it sends to make your test #2 and #3
> identical traffic.
>
> What your test #2 is showing is what I would expect from the slightly
> weird configuration:
>    ssl_bump peek step1
>    ssl_bump stare step2
>    ssl_bump bump step3
>
> or just,
>    ssl_bump stare step2
>    ssl_bump bump step3
>
>
> Cheers
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20260313/ae749188/attachment.htm>

Previous message (by thread): [squid-users] SSL Bump differences at various steps
Next message (by thread): [squid-users] SSL Bump differences at various steps
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list