On 16/05/18 02:02, Eliezer Croitoru wrote: > Hey Martin, > > Technically there should be a way to inform Squid-Cache about multiple addresses for the same destination. > If Squid doesn't know that it's a real IP of the domains a partial solution is to use the same DNS service but it can also be something else. > For example there should be a way\option for squid to decide if this address of the client or server is secured. > > Amos what do you think? > Can a Host header forgery detection override acl be added? Should it be added? > I believe that if there are some properties to the remote certificate we can flag the service as "Secure" > IE if the OS runs a "openssl s_client -host www.ubuntnu.com -connect 91.189.89.118:443 > And the certificate is fine then... it's there is no place for any SECURITY ALERT. A malicious actor would simply forward the TLS handshake to the real server they are spoofing. Same way Squid does for SSL-Bump. The counter argument of not sending SNI to that suspicious server will have failures with these exact same mega-corp services. Think foo.example.com hosted on Google hosting where the generic server cert is "foo.1e1.net" not "foo.example.com", nor even google.com". The "problem" that needs to be resolved is simply that the genuine servers do not have a reliable match between their IP and client presented domain name(s). Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
