Search squid archive

Re: hostHeaderVerify with SNI in interception environments

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi again,

FWIW, Factory is (slowly) working on an SslBump refactoring project that may address this bug.

Thanks, I'll keep an eye on that.

Andreas

Zitat von Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>:

On 9/21/21 10:14 AM, Andreas Weigel wrote:
Hi,

sorry for the late response and the ambiguity in the initial post.

That fact is unrelated to the concern being raised in this thread
AFAICT: The concern is _not_ whether Squid verifies the target of the
SNI-based CONNECT during step3. The concern is whether Squid verifies
the target of the SNI-based CONNECT at all.

Exactly. If splicing in step2, the SNI is validated (DNS lookup,
comparing results with IP from client request). In that configuration,
hostHeaderVerify is called twice, once at step1 (without any hosts,
always passes) and once at step2 (with SNI, if present).

If peeking in step2 and splicing in step3, the SNI is *not* validated in
step2 -- hostHeaderVerify is only called once without any hostname at
step1 in that case and that always passes.

Glad we are on the same page. FWIW, Factory is (slowly) working on an
SslBump refactoring project that may address this bug. I do not have a
patch against official sources for you to try, but you can keep track of
our progress at https://github.com/measurement-factory/squid/pull/108


Cheers,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux