[squid-dev] Moving from Bump-Server-First to Bump/Peek/Splice
Alex Rousskov
rousskov at measurement-factory.com
Tue Sep 15 16:11:32 UTC 2015
On 09/15/2015 04:11 AM, Amos Jeffries wrote:
> On 15/09/2015 6:23 a.m., Alex Rousskov wrote:
>> On 09/14/2015 10:53 AM, Steve Hill wrote:
>>
>>> If you peek at step 1 and bump at step 2, everything works correctly -
>>> the CN, SAN, etc. from the original server certificate is copied into
>>> the forged certificate as expected
>>
>> OK, that matches http://wiki.squid-cache.org/Features/SslPeekAndSplice
>>
>>
>>> If you bump at step 1, the forged certificate's CN is whatever
>>> hostname/IP was given in the CONNECT request.
>>
>>
>> That may not match the above documentation. We claim that "bump"
>> establishes "a secure connection with the server and, using a mimicked
>> server certificate, with the client". I would expect the origin server
>> CN in the forged certificate then. We should change the documentation if
>> bumping at step #1 does (and should do) something else. Another bug
>> report to file?
> Only if the origin server is responding with some other CN values than
> is in the mimic'd certificate.
AFAICT, that is exactly what Steve is alleging.
Alex.
More information about the squid-dev
mailing list