Search squid archive

host_verify_strict and wildcard SNI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




I'm using a transparent proxy and SSL-peek and have hit a problem with an iOS app which seems to be doing broken things with the SNI.

The app is making an HTTPS connection to a server and presenting an SNI with a wildcard in it - i.e. "*.example.com". I'm not sure if this behaviour is actually illegal, but it certainly doesn't seem to make a lot of sense to me.

Squid then internally generates a "CONNECT *.example.com:443" request based on the peeked SNI, which is picked up by hostHeaderIpVerify(). Since *.example.com isn't a valid DNS name, Squid rejects the connection on the basis that *.example.com doesn't match the IP address that the client is connecting to.

Unfortunately, I can't see any way of working around the problem - "host_verify_strict" is disabled, but according to the docs, "For now suspicious intercepted CONNECT requests are always responded to with an HTTP 409 (Conflict) error page."

As I understand it, turning host_verify_strict on causes problems with CDNs which use DNS tricks for load balancing, so I'm not sure I understand the rationale behind preventing it from being turned off for CONNECT requests?

--
 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com

Direct contacts:
   Instant messager: xmpp:steve@xxxxxxxxxxxx
   Email:            steve@xxxxxxxxxxxx
   Phone:            sip:steve@xxxxxxxxxxxx

Sales / enquiries contacts:
   Email:            sales@xxxxxxxxxxxx
   Phone:            +44-1792-824568 / sip:sales@xxxxxxxxxxxx

Support contacts:
   Email:            support@xxxxxxxxxxxx
   Phone:            +44-1792-825748 / sip:support@xxxxxxxxxxxx
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux