Search squid archive

Re: host_verify_strict and wildcard SNI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/07/2016 01:53 PM, Amos Jeffries wrote:
> On 8/07/2016 4:50 a.m., Alex Rousskov wrote:
>> On 07/07/2016 06:23 AM, Amos Jeffries wrote:
>>> On 7/07/2016 11:30 p.m., Marcus Kool wrote:
>>>>>> On 07/06/2016 10:07 PM, Alex Rousskov wrote:
>>>>>>> Q3. What should Squid do when receiving a wildcard SNI?
>>
>>>> Squid _has_ the original IP so why would Squid potentially connect to an
>>>> other IP ?
>>
>>> Because the inbound and outbound connections are not related. 
>>
>> For intercepted connections they should be IMHO. By default, we should
>> [if allowed by all the internal checks] connect to the exact IP the
>> client was connecting to when we intercepted (cache peering, cache hits,
>> and similar special cases aside, of course).
>>
>> Amos, are you sure we not doing that already for intercepted
>> connections? If we are not, I think this is a missing feature essential
>> for many (most?) deployments! I certainly understand that some admins
>> will need to "reroute" some intercepted requests, but rerouting ought to
>> be an exception, not the norm. Do you agree?

> Yes we are using the client ORIGINAL_DST as most preferred outgoing route.

Whew!


> However, when the admin configures "client_dst_passthru off" to force
> the DNS results to be used, or configures cache_peer to be used instead
> we obey those instructions instead. 

Sounds good.


> Also if the most preferred route is
> down the alternatives can happen.

That silent and poorly (or un)documented violation of the
"client_dst_passthru on" setting feels like a Squid bug to me, but this
is not my area of expertise.


>> Perhaps we screwed it up by replacing the IP address with SNI in the
>> fake CONNECT target at some point? If that is what changed Squid
>> behavior, then we should fix the code so that Squid connects to the
>> intended destination IP regardless of the fake CONNECT target. One way
>> to do that would be to provide that intended IP address in the fake
>> CONNECT request itself, via X-Going-To or similar -- doing so would
>> allow adaptation services to adjust Squid behavior as needed.

> I think the first CONNECT message which uses raw-IP should end with
> setting up a (TCP only at this point) server connection of type PINNED.
> Then the TLS bumping and second CONNECT message with SNI details should
> use that connection for all the followup activity.

I like that suggestion! However, if we do honor "client_dst_passthru on"
for bumped traffic already, then this [far from trivial] "TCP CONNECT"
implementation can wait.


Thank you,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux