[squid-users] ssl_bump and SNI
Amos Jeffries
squid3 at treenet.co.nz
Wed Jun 3 15:05:36 UTC 2015
On 4/06/2015 2:27 a.m., sp_ wrote:
> Hello Nathan,
>
> thank you for an example.
>
> What version of squid are you running?
> Mine is:
>
>
> I've tried to apply the config you've posted, but with no luck. Squid can't
> get the domain:
>
>
Well, its not a simple situation. Lets start with clarifying some of the
details...
SNI is a relatively new feature of TLS. There is no guarantee of a
domain name actually existing in the bumped (step1) metadata.
So, Squid may have to do a peek at step2 to get the server cert details
before it has any clue about what domain *might* be.
Also that means the %ssl::>sni helper format token depended on with the
ACL helper approach will be "-" for these requests.
To resolve that use the new (in squid-3.5.4) ssl::server_name ACL
instead. Which checks against the CONNECT hostname (if any) at step1+,
SNI domain (if any) at step2+, and server cert domain at step3.
Amos
More information about the squid-users
mailing list