[squid-dev] [PATCH] server_name ACL

Tsantilas Christos chtsanti at users.sourceforge.net
Thu Apr 9 13:06:38 UTC 2015 

Hi all,
  I am reposting this patch. It is updated to the latest squid-trunk.

In a discussion with Amos (the period the squid-dev was down):
   1) The server_name should be renamed to tls_server_name or 
ssl::server_name
   2) There is a bug in Ssl::matchX509CommonNames function. The 
subjectAltName if exists should be used instead of the subject name.

The (2) should be fixed as a separate issue/bug, and also applied to 
squid-3.5.

What about the (1) ?
The "ssl:" prefix looks better because the new feature can be used for 
ssl v3 too, it is not depends on tls. (However I believe that we should 
agree and use one prefix for all of these features to not confuse users)


Regards,
    Christos

On 02/24/2015 10:29 PM, Tsantilas Christos wrote:
> Hi all,
>
>
> This patch adds server_name ACL matching server name(s) obtained from
> various sources such as CONNECT request URI, client SNI, and SSL server
> certificate CN.
>
> During each SslBump step, Squid improves its understanding of a "true
> server name", with a bias towards server-provided (and Squid-validated)
> information.
>
> The server-provided server names are retrieved from the server
> certificate CN and Subject Alternate Names. The new server_name ACL
> matches any of alternate names and CN. If the CN or an alternate name is
> a wildcard, then the new ACL matches any domain that matches the domain
> with the wildcard.
>
> Other than supporting many sources of server name information (including
> sources that may supply Squid with multiple server name variants and
> wildcards), the new ACL is similar to dstdomain.
>
> Also added a server_name_regex ACL.
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: server_name-acl-t8.patch
Type: text/x-patch
Size: 44196 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150409/66f3201d/attachment-0001.bin>

More information about the squid-dev mailing list