[squid-dev] [PATCH] ssl::server_name options to control matching logic.

[Alex Rousskov]

On 05/30/2017 10:58 PM, Amos Jeffries wrote:
> On 26/05/17 22:08, Christos Tsantilas wrote:
>> --consensus allows matching a part of the conglomerate when the part's
>> subject name is included in certificates used by many other
>> conglomerate parts (e.g., matching Google but not Youtube).

> So this ACL option somehow makes Squid aware of corporate ownership and
> political structures and human-world business operations? er, no.

Actually, the answer to your rhetorical question is "yes", provided
those real-world things are expressed in certificate properties, as the
proposed description states. This brief high-level description helps
admins (with poor TLS knowledge) identify a relevant-to-them feature
that they can then study in detail by reading squid.conf.documented and
other sources.

In general, I am against using real company names in documentation. In
this particular case, foo.example.com names cannot quickly illustrate
the problem solved by the new --consensus option because the reader
would not be able to grasp the complex relationship between conglomerate
parts unless they already know about those relationships, identified in
reader's mind by familiar company names.


@Christos, I recommend replacing the above paragraph with the following
text which uses more "technical" words to say the same thing:

--consensus identifies transactions with a particular server when
server's subject name is also present in certificates used by many other
servers (e.g., matching transactions with a particular Google server but
not with all Youtube servers).


If Amos disagrees, then I would just drop those brief descriptions from
the commit message -- their value quickly diminishes with every minute
we waste on arguing about them.


HTH,

Alex.