Search squid archive

Re: 4.17 and 5.3 SSL BUMP issue: SSL_ERROR_RX_RECORD_TOO_LONG

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/24/22 2:42 AM, Eliezer Croitoru wrote:
> 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
> local=142.250.179.228:443 remote=10.200.191.171:51831 FD 16 flags=33 (local
> IP does not match any domain IP)

As you know, Squid improvements related to these messages have been
discussed many times. I bet the ideas summarized in the following old
email remain valid today:

http://lists.squid-cache.org/pipermail/squid-users/2019-July/020764.html


If you would like to address browser's SSL_ERROR_RX_RECORD_TOO_LONG
specifically (the error in your email Subject line), then that is a
somewhat different matter: According to your packet capture, Squid sends
a plain text HTTP 409 response to a TLS client. That is not going to
work with popular browsers (for various technical and policy reasons).

Depending on the SslBump stage where the Host header forgery was
detected, Squid could bump the client connection to deliver that error
response; in that case, the browser may still refuse to show the
response to the user because the browser will not trust the certificate
that Squid would have to fake without sufficient origin server info.
However, the browser error will be different and arguably less confusing
to admins and even users.

https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux