Re: ssl-bump options

Alex Rousskov wrote:
> On Tue, 2007-11-06 at 16:22 +1300, Amos Jeffries wrote:
>
>> My understanding is that https_port is for when squid is accelerating
>> https and thus listening. IMHO it should remain an inbound-only config.
>
> Agreed.
>
>> Ah, I took your commit comment "but it relies on https_port being set (to
>> get SSL certificates and related info)" to mean the settings were being
>> taken from the https_port part of Config, not the sslproxy part (of which
>> I was only vaguely aware until you pointed it out).
>
> I think we are on the same page now.
>
> Currently, SSL Bump is using http_port for incoming settings and
> sslproxy_* for outgoing. The http_port option can now accept SSL-related
> properties, just like https_port does.

...!!? ... !!!?! ... oOH. Eureka. Dumbass me wasn't thinking both sides
of the bump properly. :-(

I was forgetting the symmetry needed on the 'in' side of the bump. Of
course the op have to go on http_port. :-P

I got it now. Thanks, and sorry for the bother.

>
>> But Yes, looking up the sslproxy_*. My proposal would encompass the
>> sslproxy_* options as optional arguments in a single ssl_outgoing_address
>> which could be a per-outgoing-IP setting (due to SSL certs being
>> per-address/port) or a wildcard if ALL use the same details in a generic
>> cert. Instead of the many individual options at present.
>
> Right. There are a lot of cleanup opportunities there. For example, it
> may be a good idea to pack all SSL-related options in one port-unrelated
> user-named setting and then just use that name in http_port, https_port,
> and sslproxy_* options:
>
> ssl_profile <name> [certificate] [key] ...
> ...
> https_port <address> ssl_profile=<name>
> sslproxy [address] ssl_profile=<name>
> ...
>
> But that is another project/discussion... :-)

Hmm, nice extension on the idea.
Yes a config cleanup will be on my agenda for 3.1.x

Amos
Received on Tue Nov 06 2007 - 00:23:47 MST