[squid-users] ssl-bump and accel
Amos Jeffries
squid3 at treenet.co.nz
Sun Jan 10 04:30:38 UTC 2016
On 9/01/2016 7:48 a.m., Nir Krakowski wrote:
> This is what needs to be done to get it to work in squid >3.5 in function
> ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const
> Dns::LookupDetails &dns):
>
Hell NO!!!!
clientConn is the state data about the TCP connection the message
arrived on. HTTP and SSL-Bump in no way alter the reality of what
src/dst IPs those TCP packets contain.
There may be a bug needing a fix, but it absolutely is not that patch.
By applying that patch you are allowing a remote sender to both bypass
all your Squid protections, and any network firewall security you may
have external to Squid. While simultaneously recording in your Squid
logs any value of its choosing for the destination IPs of its attack
traffic.
Amos
More information about the squid-users
mailing list