From e610b1832d3e2687b763b02c5113cdea4e8346a5 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 12 Jan 2018 18:30:20 +0100
Subject: [PATCH] Proxy/ssldump, improve ssl bumping.

Use peek+stare to check the server cert before making a bump decision.
---
 src/opnsense/service/templates/OPNsense/Proxy/squid.conf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index 40c9e3823..3eba52efc 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -70,13 +70,15 @@ ssl_bump peek bump_step1 all
 ssl_bump splice all
 ssl_bump peek bump_step2 all
 ssl_bump splice bump_step3 all
+ssl_bump bump
 
 {% else %}
-ssl_bump splice bump_nobumpsites
+ssl_bump peek bump_step1 all
 ssl_bump peek bump_step2 bump_nobumpsites
 ssl_bump splice bump_step3 bump_nobumpsites
+ssl_bump stare bump_step2
+ssl_bump bump bump_step3
 {% endif %}
-ssl_bump bump
 
 sslproxy_cert_error deny all
 {% endif %}