Hi, sorry for the late response and the ambiguity in the initial post.
That fact is unrelated to the concern being raised in this thread AFAICT: The concern is _not_ whether Squid verifies the target of the SNI-based CONNECT during step3. The concern is whether Squid verifies the target of the SNI-based CONNECT at all.
Exactly. If splicing in step2, the SNI is validated (DNS lookup, comparing results with IP from client request). In that configuration, hostHeaderVerify is called twice, once at step1 (without any hosts, always passes) and once at step2 (with SNI, if present).
If peeking in step2 and splicing in step3, the SNI is *not* validated in step2 -- hostHeaderVerify is only called once without any hostname at step1 in that case and that always passes.
Andreas _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
