Search squid archive

Re: hostHeaderVerify with SNI in interception environments

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/17/21 3:29 PM, Andreas Weigel wrote:

> If splicing at step3, however, hostHeaderVerify is not called again with
> the SNI

I assume that the above statement would still be true if I remove the
word "again" from it. This is how I interpreted it (i.e.
hostHeaderVerify() is called once with the IP address and never with SNI).

There are other ways to interpret that statement (e.g., hostHeaderVerify
was called with SNI once, but you expected it to be called with SNI twice).


> I was wondering if this could be considered a bug or if there is a
> rationale to change the behavior in the "peek at step2, splice at step3"
> scenario.

If my interpretation above is correct, then this sounds like a bug to
me: Squid/hostHeaderVerify() must validate every request target value
Squid intends to use for cache lookups and/or connecting. If the request
target changes from IP to SNI, then Squid must validate exactly twice.


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux