[squid-dev] [PATCH] Fast SNI peek

Alex Rousskov rousskov at measurement-factory.com
Mon May 16 19:03:15 UTC 2016

On 05/16/2016 01:51 AM, Eliezer Croitoru wrote:

> I have a question about this specific file and SNI peek and splice in general.

Your question is not specific to this patch/thread: AFAIK, the patch
does not change whether/how Squid validates SNI.

> For the scenario which the SNI declares www.google.com and the
> destination IP address is not the domain, IE default apache or any
> other domain. What happens? And specifically about the request
> splicing? And in more detail my concern is that if some software will
> fake the SNI knowing that the destination will never be the requested
> one but some default of another domain, will the request be spliced
> anyway?

Sorry, I do not know the exact answers to your questions. Please note
that the answers may depend on whether Squid intercepts or forwards
connections and on the SslBump step during which Squid splices the
connection. Researching this (and documenting any non-trivial answers on
Squid wiki) would be useful.



More information about the squid-dev mailing list