[squid-users] Squid SNI at Step 2

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 27 20:24:54 UTC 2015

On 28/10/2015 9:11 a.m., Jatin Bhasin wrote:
> Hi Amos,
> My client is sending sni. I have checked this. Squid only generates SNI
> fake connect at step2 if sslbump action is splice. For all other ssl bump
> actions it does not generate fake connect with sni.
> Is this a bug or limitation in squid? Do you plan in future to change it?

Its bot a bug exactly. I'm not sure at this point what we will do about
it. Alex adn Christos are apparently doing a bit of redesign of the
process and I'm not sure how that is going or planned to be yet.

Conceptually the fake CONNECT represents the server authority named in
the protocol prior to TLS handshake beginning. Which is TCP and thus the
server-IP from the TCP SYN packet. That has already been accepted though
the http_access permissions in its raw-IP form.

Personally I am leaning more and more towards having Squid simply do the
step-1 peek in all traffic. So access controls and permissions start at
step 2 with SNI going through the http_access rules in the fake CONNECT.

But that would possibly have issues where people want or be required to
terminate or splice without peek happening first. From a security
standpoint it should not matter, but we sill have to verify that.


More information about the squid-users mailing list