<div dir="ltr">Hello, Amos,<div><br></div><div>Thank you for the comments.</div><div>I double-checked the results (I have squid-6.10).</div><div><br></div><div>The configurations:</div><div><font face="monospace"> ssl_bump <b>stare </b>step1<br> ssl_bump stare step2<br> ssl_bump bump step3</font><br></div><div>and </div><div><font face="monospace"> ssl_bump <b>peek </b>step1<br> ssl_bump stare step2<br> ssl_bump bump step3</font></div><div>produce the same result - <span style="white-space-collapse: preserve;"> during TLS handshake with the Server, </span>the<span style="white-space-collapse: preserve;"> P</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">roxy</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">uses</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">cipher</span><span style="white-space-collapse: preserve;"> suite </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">received</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">from</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">original</span><span style="white-space-collapse: preserve;"> C</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">lient</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">.</span></div><div><span style="white-space-collapse: preserve;"><br></span></div><div><span style="white-space-collapse: preserve;">While in the case of the configuration</span></div><div><span style="font-family:monospace"> ssl_bump stare step1</span><br style="font-family:monospace"><span style="font-family:monospace"> ssl_bump bump step2</span><br style="font-family:monospace"><span style="font-family:monospace"> ssl_bump bump step3</span> <span style="white-space-collapse: preserve;"></span></div><div>, the Proxy uses its own <span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">cipher</span><span style="white-space-collapse: preserve;"> suite.</span></div><div><span style="white-space-collapse: preserve;"><br></span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">It</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">doesn</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">'t</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">bother</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">me</span><span style="white-space-collapse: preserve;"> at all</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">,</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">but</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">I</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">can</span><span style="white-space-collapse: preserve;"> share a </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">debug-log </span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">if</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">it</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">helps</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">improve</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">SQUID</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">.</span><span style="white-space-collapse: preserve;"></span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">I think debug level 83,9:</span></div><div><font face="monospace"><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"> debug_options ALL,1 </span><span style="white-space-collapse: preserve;">83,9</span></font></div><div><span style="white-space-collapse: preserve;">will be enough?</span></div><div><br></div><div><span style="white-space-collapse: preserve;"><br></span></div><div><span style="white-space-collapse: preserve;">Kind regards,</span></div><div><span style="white-space-collapse: preserve;"> Ankor</span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"><br></span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"><br></span></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">вт, 10 мар. 2026 г. в 11:41, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 06/03/2026 22:35, Andrey K wrote:<br> > Hello,<br> > <br> > Iwaswonderingwhatare the differencesif we apply the sslbump <br> > operationatdifferentsteps?<br> > The documentation contains information about only one difference - when <br> > we bump at the step1 Proxy first establishes a TLS connection with the <br> > Client, and then with the Server, while in the other cases - first with <br> > the Server, and then with the Client.<br> > <br> > I looked into this issue and tried to summarize the information I have <br> > (I will not detail here the information available to the admin at each <br> > of the three steps). Maybe it will help someone.<br> > <br> <br> Thank you.<br> <br> Though, for anyone reading this in the future - be aware that Squid <br> behaviour which is _not_ documented officially is subject to change <br> without notice.<br> <br> There are still bugs being found and removed from this feature. For <br> example, see below...<br> <br> <br> > Bumping at steps 2 and 3 are very similar,butinthe firstcase, <br> > ProxysendsClientHelloto a Server withitsownciphers,andinthe lattercase - <br> > withciphers receivedfromthe Client.<br> > <br> > If anyone has any comments or additions, please feel free to complete it.<br> > <br> <br> This looks like a bug to me. Squid should only be preserving the client <br> ciphers etc when "peek" is used - in order to permit step2/3 splice.<br> <br> The explicit configuration of "stare" in your tests should be enabling <br> Squid to filter the ciphers it sends to make your test #2 and #3 <br> identical traffic.<br> <br> What your test #2 is showing is what I would expect from the slightly <br> weird configuration:<br> ssl_bump peek step1<br> ssl_bump stare step2<br> ssl_bump bump step3<br> <br> or just,<br> ssl_bump stare step2<br> ssl_bump bump step3<br> <br> <br> Cheers<br> Amos<br> <br> _______________________________________________<br> squid-users mailing list<br> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br> <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br> </blockquote></div>