Search squid archive

Re: hostHeaderVerify with SNI in interception environments

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/17/21 7:10 PM, Amos Jeffries wrote:
> On 18/09/21 8:14 am, Alex Rousskov wrote:
>> On 9/17/21 3:29 PM, Andreas Weigel wrote:
>>
>>> If splicing at step3, however, hostHeaderVerify is not called again with
>>> the SNI
>>
>> I assume that the above statement would still be true if I remove the
>> word "again" from it. This is how I interpreted it (i.e.
>> hostHeaderVerify() is called once with the IP address and never with
>> SNI).
>>
>> There are other ways to interpret that statement (e.g., hostHeaderVerify
>> was called with SNI once, but you expected it to be called with SNI
>> twice).
>>
>>
>>> I was wondering if this could be considered a bug or if there is a
>>> rationale to change the behavior in the "peek at step2, splice at step3"
>>> scenario.
>>
>> If my interpretation above is correct, then this sounds like a bug to
>> me: Squid/hostHeaderVerify() must validate every request target value
>> Squid intends to use for cache lookups and/or connecting. If the request
>> target changes from IP to SNI, then Squid must validate exactly twice.


> SSL-Bump step 3 does not need to verify

That fact is unrelated to the concern being raised in this thread
AFAICT: The concern is _not_ whether Squid verifies the target of the
SNI-based CONNECT during step3. The concern is whether Squid verifies
the target of the SNI-based CONNECT at all.

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux