[squid-dev] Introduction / SslBump prototype patch to ignore unknown ciphers

Alex Rousskov rousskov at measurement-factory.com
Wed May 17 22:39:27 UTC 2017


On 05/17/2017 03:18 PM, David Hogan wrote:

> I found that applying a blacklist at step3 resulted in too many false positives
> caused by subjectAltName matches.

Factory is working on a patch to address that problem.


> I am hoping separately to figure
> out how to match missing SNI and terminate, either by acl config or a patch.

The above-mentioned patch might allow for matching missing SNIs as well
(as a side effect of other changes), but I am not sure. If it does not,
the infrastructure introduced by that patch would make it easier to
properly add such a feature. Or you can just hard-code a check in your
personal Squid, of course.


> are you saying that the OpenSSL validation code could be used directly,
> rather than having OpenSSL think it's doing a real handshake?

Yes, of course. For example, the "openssl verify" command line tool does
not do handshakes.


HTH,

Alex.



More information about the squid-dev mailing list