[squid-dev] [PATCH] ssl::server_name options to control matching logic.

Amos Jeffries squid3 at treenet.co.nz
Wed May 31 04:58:19 UTC 2017 

On 26/05/17 22:08, Christos Tsantilas wrote:
> This patch uses the the "--long-options" ACLs feature which posted to 
> squid-dev under the mailthread:
>  "PATCH] Adds support for --long-acl-options"
>
>
> Patch description:
>
> Many popular servers use certificates with several "alternative 
> subject names" (SubjectAltName). Many of those names are wildcards. 
> For example, a www.youtube.com certificate currently includes 
> *.google.com and 50+ other subject names, most of which are wildcards.
>
> Often, admins want server_name to match any of the subject names. This 
> is useful to match any server belonging to a large conglomerate of 
> companies, all including some *.example.com name in their 
> certificates. The existing server_name functionality addresses this 
> use case well.
>
> The new ACL options address several other important use cases:
>
> --consensus allows matching a part of the conglomerate when the part's 
> subject name is included in certificates used by many other 
> conglomerate parts (e.g., matching Google but not Youtube).

So this ACL option somehow makes Squid aware of corporate ownership and 
political structures and human-world business operations? er, no.

Thankfully the text you are adding to cf.data.pre does a better job of 
explaining this option. Please use that text as commit message 
description instead of the above confusing fuzz - if you have to at all, 
having the docs as part of the patch makes it somewhat redundant to 
describe in commit message.


>
> --client-requested allows both (a) SNI-based matching even after Squid 
> obtains the server certificate and (b) pinpointing a particular server 
> in a group of different servers all using the same wildcard 
> certificate (e.g., matching appengine.example.com but not 
> www.example.com when the certificate for has *.example.com subject).
>
> --server-provided allows matching only after Squid obtains the server 
> certificate and matches any of the conglomerate parts.
>
> Also this patch fixes squid to log client SNI when client-first 
> bumping mode is used too.
>
> This is a Measurement Factory project
>

in src/acl/ServerName.h:

* please only use questions to document pre-existing code that you are 
not entirely sure of its behaviour, but where a guess is better than 
nothing at all.
  - I am referring of course to the "Ignore ... names?" questions.


in src/cf.data.pre:

* CONNECT handling is somewhat special because its URI is the authority, 
the Host header is ignored. So mentioning it here is wrong.
   - s/ target (a.k.a. Host header or URI) / target (a.k.a. URI) /


in src/ssl/ServerBump.h:

* "the SSL client SNI name" is both wrong and redundant.
  - SSL clients cannot send SNI, only TLS clients can send TLS extensions.
  - the 'N' in SNI is for name. So that text says "server name 
indication name".

  - "TLS client delivered SNI value. Empty string if none has been 
received." would be more accurate documentation for this member.


+1 with that polishing. Thank you.


Amos

More information about the squid-dev mailing list