[squid-dev] [PATCH] ssl::server_name options to control matching logic.

[Christos Tsantilas]

patch applied to squid-5 as r15189, with the requested fixes.


Στις 31/05/2017 05:56 μμ, ο Alex Rousskov έγραψε:
> On 05/30/2017 10:58 PM, Amos Jeffries wrote:
>> On 26/05/17 22:08, Christos Tsantilas wrote:
>>> --consensus allows matching a part of the conglomerate when the part's
>>> subject name is included in certificates used by many other
>>> conglomerate parts (e.g., matching Google but not Youtube).
> 
>> So this ACL option somehow makes Squid aware of corporate ownership and
>> political structures and human-world business operations? er, no.
> 
> Actually, the answer to your rhetorical question is "yes", provided
> those real-world things are expressed in certificate properties, as the
> proposed description states. This brief high-level description helps
> admins (with poor TLS knowledge) identify a relevant-to-them feature
> that they can then study in detail by reading squid.conf.documented and
> other sources.
> 
> In general, I am against using real company names in documentation. In
> this particular case, foo.example.com names cannot quickly illustrate
> the problem solved by the new --consensus option because the reader
> would not be able to grasp the complex relationship between conglomerate
> parts unless they already know about those relationships, identified in
> reader's mind by familiar company names.
> 
> 
> @Christos, I recommend replacing the above paragraph with the following
> text which uses more "technical" words to say the same thing:
> 
> --consensus identifies transactions with a particular server when
> server's subject name is also present in certificates used by many other
> servers (e.g., matching transactions with a particular Google server but
> not with all Youtube servers).
> 
> 
> If Amos disagrees, then I would just drop those brief descriptions from
> the commit message -- their value quickly diminishes with every minute
> we waste on arguing about them.
> 
> 
> HTH,
> 
> Alex.