[squid-dev] [PATCH] server_name ACL

Marcus Kool marcus.kool at urlfilterdb.com
Thu Apr 9 21:56:59 UTC 2015



On 04/09/2015 10:06 AM, Tsantilas Christos wrote:
> Hi all,
>   I am reposting this patch. It is updated to the latest squid-trunk.
>
> In a discussion with Amos (the period the squid-dev was down):
>    1) The server_name should be renamed to tls_server_name or ssl::server_name
>    2) There is a bug in Ssl::matchX509CommonNames function. The subjectAltName if exists should be used instead of the subject name.

don't forget that subjectAltName is a list of hostnames which also may contain wildcards.

Best regards
Marcus

> The (2) should be fixed as a separate issue/bug, and also applied to squid-3.5.
>
> What about the (1) ?
> The "ssl:" prefix looks better because the new feature can be used for ssl v3 too, it is not depends on tls. (However I believe that we should agree and use one prefix for all of these features to not
> confuse users)
>
>
> Regards,
>     Christos
>
> On 02/24/2015 10:29 PM, Tsantilas Christos wrote:
>> Hi all,
>>
>>
>> This patch adds server_name ACL matching server name(s) obtained from
>> various sources such as CONNECT request URI, client SNI, and SSL server
>> certificate CN.
>>
>> During each SslBump step, Squid improves its understanding of a "true
>> server name", with a bias towards server-provided (and Squid-validated)
>> information.
>>
>> The server-provided server names are retrieved from the server
>> certificate CN and Subject Alternate Names. The new server_name ACL
>> matches any of alternate names and CN. If the CN or an alternate name is
>> a wildcard, then the new ACL matches any domain that matches the domain
>> with the wildcard.
>>
>> Other than supporting many sources of server name information (including
>> sources that may supply Squid with multiple server name variants and
>> wildcards), the new ACL is similar to dstdomain.
>>
>> Also added a server_name_regex ACL.
>>
>>
>> _______________________________________________
>> squid-dev mailing list
>> squid-dev at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-dev
>>
>
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>


More information about the squid-dev mailing list