[squid-dev] Moving from Bump-Server-First to Bump/Peek/Splice
Alex Rousskov
rousskov at measurement-factory.com
Mon Sep 14 18:23:43 UTC 2015
On 09/14/2015 10:53 AM, Steve Hill wrote:
> If you peek at step 1 and bump at step 2, everything works correctly -
> the CN, SAN, etc. from the original server certificate is copied into
> the forged certificate as expected
OK, that matches http://wiki.squid-cache.org/Features/SslPeekAndSplice
> If you bump at step 1, the forged certificate's CN is whatever
> hostname/IP was given in the CONNECT request.
That may not match the above documentation. We claim that "bump"
establishes "a secure connection with the server and, using a mimicked
server certificate, with the client". I would expect the origin server
CN in the forged certificate then. We should change the documentation if
bumping at step #1 does (and should do) something else. Another bug
report to file?
Alex.
More information about the squid-dev
mailing list