On 8/07/2016 5:05 a.m., Alex Rousskov wrote: > On 07/07/2016 10:41 AM, Steve Hill wrote: >> Realistically, shouldn't the SNI reflect the DNS request that was made >> to find the IP of the server you're connecting to? You would never make >> a DNS request for '*.example.com' so I don't see a reason why you would >> send an SNI that has a larger scope than the DNS request you made. > > My DNS request was for coordinator.example.com. Since I wrote both sides > of the software, I know that the SSL server on that hostname will direct > me to the "best" internal *.service.example.com if I ask it to do that > by sending a wildcard SNI. That "SSL routing" will be based on some > internal business logic unavailable to the DNS resolver. > > Is this design a good idea? No. > > Is this bad idea "realistic"? Evidently, it is. > Not really though. It depends on bugs in the receiving server software. So even if it worked yesterday without a TLS proxy, it broke when the server side of things changed. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
