How to make squid send SNI to ecap adapter and then making a decision to bump or splice

Asked by Jatin on 2019-10-22

I have an ecap adapter. I was looking for a way to configure squid so that I can receive SNI in ecap adapter. I already have acl's in place which will take care of bumping. I am using a note acl which is set to yes by my ecap adapter if bumping is required. But the problem is that I don't see SNI at the right stage and thereby it becomes too late to make decision to bump or splice.

Question information

Language:
English Edit question
Status:
Solved
For:
eCAP Edit question
Assignee:
No assignee Edit question
Solved by:
Jatin
Solved:
2019-10-22
Last query:
2019-10-22
Last reply:
2019-10-22
Jatin (jbhasin83) said : #1

Somehow if we could trigger adaptation acl check again after startPeekAndSpliceDone when we have a valid client sni.

Alex Rousskov (rousskov) said : #2

Squid has adaptation_meta which can carry %<A and even %>handshake. However, this question is specific to Squid, not eCAP. If needed, please follow up on squid-users rather than here.

Jatin (jbhasin83) said : #3

Hi Alex
In past I had asked this question on squid user email but I did not get a satisfactory answer over there.
The solution you have suggested may not work because:
Squid creates a fakeConnect which comes to ecap as well using tfconnect before it even extracts the sni. Hence at this point in time adaptation_meta will not have access to sni as squid itself does not have it.
After fakeConnect in step 1 I am using peek which extracts the sni but at this point squid does not make another call to ecap. This function in squid is startpeekandsplicedone in file client_side.cc
In this function it only makes a call to acl for ssl bump to check but no call to ecap.

I was hoping at this point I can put a call to http->doCallouts which can make the call to ecap adapter and this time we have sni as well?

Alex Rousskov (rousskov) said : #4

> I did not get a satisfactory answer over there

That is unfortunate, but it is not a valid reason to abuse these Answers for Squid-specific support.

Jatin (jbhasin83) said : #5

.