[squid-dev] Host header forgery detection when peeking for SNI

[Dave Lewthwaite]

Hi,

We are running into an issue that has come up a few times on the mailing lists - host header forgery detection when using SSL peek in order to include SNI logging in access logs. (Clients operating in transparent mode).

As far as I can tell I have narrowed it down to ClientRequestContext::hostHeaderVerifyFailed, there is a line -

if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT)

Along with the comment "// NP: we do not yet handle CONNECT tunnels well, so ignore for them".

If I remove the method check then the sites hitting this issue start loading fine, however, I don't know what the implications are of doing this - especially given the comment. (I do understand the implications of disabling host verification entirely).

It's also worth noting that this still occurs even when both client and server are using the same DNS servers (although it's not as often) and clearly it is a problem that does occur in the real world.

What is the impact of removing the method check so that this code path is used for CONNECT requests?

Thanks

Dave Lewthwaite




This email and any attachments to it may contain confidential information and are intended solely for the addressee.



If you are not the intended recipient of this email or if you believe you have received this email in error, please contact the sender and remove it from your system.Do not use, copy or disclose the information contained in this email or in any attachment.

RealityMine Limited may monitor email traffic data including the content of email for the purposes of security.

RealityMine Limited is a company registered in England and Wales. Registered number: 07920936 Registered office: Warren Bruce Court, Warren Bruce Road, Trafford Park, Manchester M17 1LB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20161025/9a6218a4/attachment.html>