Search squid archive

Re: host_verify_strict and wildcard SNI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/07/2016 10:49 AM, Yuri wrote:


A similar question can be asked about SNI names containing unusual
characters. At some point, it would be too dangerous to include SNI
information in the fake CONNECT request because it will interfere with
HTTP rules, but it is not clear where that point is exactly.


To support the weirdest apps Squid might have to simply copy all
unusual characters to present the same parameter values to the server.


It is being mapped into the HTTP equivalent value. Which are Host:
header and authority-URI. Only valid FQDN names can make it through the
mapping.


Here things get complicated.
It is correct that Squid enforces apps to follow standards or
should Squid try to proxy connections for apps when it can?


Squid isn't enforcing standards here. As Steve original messge says it:
"generates a "CONNECT *.example.com:443" request based on the peeked SNI"
  - which is arguably invalid HTTP syntax, but oh well.

It then is unable to do a DNS lookup for *.example.com to find out what
its IPs are and does the error handling action for a failure to verify
on a CONNECT message.


yes, the fake CONNECT is dealt with like a regular CONNECT including
DNS lookup.  I fear for other apps (besides the one ios app that Steve
refers to) to break because Squid may connect to a different IP than
the client/app is requesting.
If Squid uses the original IP to connect without doing a DNS lookup,
Steve's app will work and potential issues with other apps are
prevented.



Interestingly, Marcus. Does this mean that the CDN may be at different points in time different IP connection and it makes it impossible for client connections through Squid?


It all depends on the app/client: if it uses a servername/SNI that
resolves to multiple IP addresses but needs to connect to the one
that it specifically wants to CONNECT to, the app can fail since
Squid might choose an other IP address to connect to.

Or, apps might become slow since it might be faster when it reconnects
to the same server that it connected to before.
I think it is best to prevent issues and that Squid should connect
to the IP that the client is trying to connect to.

Marcus
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux