Search squid archive

Re: ssl_bump and SNI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/06/2015 2:27 a.m., sp_ wrote:
> Hello Nathan,
> 
> thank you for an example.
> 
> What version of squid are you running?
> Mine is:
> 
> 
> I've tried to apply the config you've posted, but with no luck. Squid can't
> get the domain:
> 
> 

Well, its not a simple situation. Lets start with clarifying some of the
details...

 SNI is a relatively new feature of TLS. There is no guarantee of a
domain name actually existing in the bumped (step1) metadata.

So, Squid may have to do a peek at step2 to get the server cert details
before it has any clue about what domain *might* be.

Also that means the %ssl::>sni helper format token depended on with the
ACL helper approach will be "-" for these requests.

To resolve that use the new (in squid-3.5.4) ssl::server_name ACL
instead. Which checks against the CONNECT hostname (if any) at step1+,
SNI domain (if any) at step2+, and server cert domain at step3.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux