On 18/09/21 8:14 am, Alex Rousskov wrote:
On 9/17/21 3:29 PM, Andreas Weigel wrote:
If splicing at step3, however, hostHeaderVerify is not called again with
the SNI
I assume that the above statement would still be true if I remove the
word "again" from it. This is how I interpreted it (i.e.
hostHeaderVerify() is called once with the IP address and never with SNI).
There are other ways to interpret that statement (e.g., hostHeaderVerify
was called with SNI once, but you expected it to be called with SNI twice).
I was wondering if this could be considered a bug or if there is a
rationale to change the behavior in the "peek at step2, splice at step3"
scenario.
If my interpretation above is correct, then this sounds like a bug to
me: Squid/hostHeaderVerify() must validate every request target value
Squid intends to use for cache lookups and/or connecting. If the request
target changes from IP to SNI, then Squid must validate exactly twice.
AIUI, SSL-Bump step 3 does not need to verify because a) it uses the
server connection setup at step 2, and b) the issue(s) checked for only
apply to mismatch of names provided by clients vs dst-IP.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
