Search squid archive

Re: The status of AIA ie: TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




I would have expected that the remote host ip:port and sni would be logged
as well in the above mentioned line.


SNI is one of the details TLS/1.3 encrypts now  :(

To prevent misunderstandings, TLS 1.3 does not encrypt the SNI.

See https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni :
Although TLS 1.3 [RFC8446] encrypts most of the handshake, including
the server certificate, there are several ways in which an on-path
attacker can learn private information about the connection.  The
plaintext Server Name Indication (SNI) extension in ClientHello
messages, which leaks the target domain for a given connection, is
perhaps the most sensitive, unencrypted information in TLS 1.3.

However, there is an optional TLS 1.3 extension that may encrypt the SNI and refers to it as ESNI.

Marcus

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux