On 9/21/21 10:14 AM, Andreas Weigel wrote: > Hi, > > sorry for the late response and the ambiguity in the initial post. > >> That fact is unrelated to the concern being raised in this thread >> AFAICT: The concern is _not_ whether Squid verifies the target of the >> SNI-based CONNECT during step3. The concern is whether Squid verifies >> the target of the SNI-based CONNECT at all. > > Exactly. If splicing in step2, the SNI is validated (DNS lookup, > comparing results with IP from client request). In that configuration, > hostHeaderVerify is called twice, once at step1 (without any hosts, > always passes) and once at step2 (with SNI, if present). > > If peeking in step2 and splicing in step3, the SNI is *not* validated in > step2 -- hostHeaderVerify is only called once without any hostname at > step1 in that case and that always passes. Glad we are on the same page. FWIW, Factory is (slowly) working on an SslBump refactoring project that may address this bug. I do not have a patch against official sources for you to try, but you can keep track of our progress at https://github.com/measurement-factory/squid/pull/108 Cheers, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
