Re: [squid-users] Does squid support TLS ticket based SSL session reuse?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 20 Jun 2013 17:01:56 +1200

On 20/06/2013 6:51 a.m., Ahmed Talha Khan wrote:
> Does squid support SSL session reuse? If so then is it based on the
> older ssl session_identifiers or the TLS ticket scheme?

Maybe, and Unknown.

> The next question is that if it does support the session reuse, how is
> the session cache maintained by squid?

Squid does not maintain SSL session cache. Squid simply relays details
to and from OpenSSL. What happens in there is up to yoru OpenSSL lirary
configuration.

Squid ss_crtd and validator features maintains a cache of *certificates*
which have been generated or seen in the current traffic.

> Also will the session reuse functionality be available both between
> client-squid and squid-orginserver.

No. client-squid and squid-origin traffic is unrelated. HTTP/1.1
contains multiplexing which means any request may arrive in any client
connection and go out any suitable server connection.

> I am looking at forward proxy mode

In normal forward-proxy mode there are two ways Squid handles SSL.
A) CONNECT method. An opaque binary stream of data between the client
and server. Squid does not touch this in any way**.

B) SSL connection direct to the proxy. The SSL is decrypted using the
confugured serve cert and the result is plaintext HTTP requests for
https:// URLs, handled normally inside the proxy.

** except when SSL-bumping - in which case it unwraps the CONNECT and
decrypts the SSL exactly as if it has been received on an https_port -
the handling of (B) then applies.

Amos
Received on Thu Jun 20 2013 - 05:02:11 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 20 2013 - 12:00:05 MDT