[squid-users] host_verify_strict and wildcard SNI

Marcus Kool marcus.kool at urlfilterdb.com
Thu Jul 7 01:55:29 UTC 2016 


On 07/06/2016 10:07 PM, Alex Rousskov wrote:
> On 07/06/2016 05:01 PM, Marcus Kool wrote:
>> On 07/06/2016 11:36 AM, Steve Hill wrote:
>>> I'm using a transparent proxy and SSL-peek and have hit a problem with
>>> an iOS app which seems to be doing broken things with the SNI.
>>>
>>> The app is making an HTTPS connection to a server and presenting an
>>> SNI with a wildcard in it - i.e. "*.example.com".  I'm not sure if
>>> this behaviour is actually illegal, but it certainly doesn't seem
>>> to make a lot of sense to me.

[snip]

>
> Q3. What should Squid do when receiving a wildcard SNI?
>
> The first two questions are not really important and each may not even
> have a single "correct" answer. I am sure protocol purists can argue
> about them forever. The last question is important, which brings us to:
>
>> Since Squid tries to mimic the behavior of the server and of the client,
>> it deserves a patch where instead of doing a DNS lookup and then doing a
>> connect (based on the result of the DNS lookup?),
>> Squid simply connects to the IP address that the client tries to connect to
>> and does the TLS handshake with the SNI (that does not make sense).
>> This way it mimics the client a bit better.
>
> I believe that is what Squid does already but please correct me if I am
> wrong.

Steve said that Squid rejects the connection because of a failed DNS lookup.
So what is Squid doing?  Is it doing  the following ?
- connect to the original IP
- use the presented SNI to the server
- do a DNS lookup and reject

> When forming a fake CONNECT request, Squid uses SNI information because
> that is what ACLs and adaptation services usually want to see. However,
> I hope that intercepting Squid always connects to the intended
> destination of the intercepted connection instead of trusting its own
> fake CONNECT request.

It is interesting to know if an ICAP server or URL rewriter is called
and with which parameters when the ios app breaks.

> Whether Squid should generate a fake CONNECT with a wildcard host name
> is an interesting question:
>
> 1. A fake CONNECT targeting an wildcard name may break ACL-driven rules
> and adaptation services (at least).
 >
> 2. A fake CONNECT targeting an IP address instead of a wildcard name may
> not give some ACL-driven rules and adaptation services enough
> information to make the right decision.
>
> 3. A premature rejection of a connection with wildcard SNI does not
> allow the admin to make the bump/splice/terminate decision.
>
> #2 is probably the lesser of the three evils, but I wonder whether Squid
> should also include the invalid host name as an X-SNI or similar HTTP
> header in that CONNECT request, to give advanced ACLs and adaptation
> services a better chance to work around known benign issues where the
> admin knows the wildcard is not malicious (and to kill wildcard
> transactions the admin knows to be malicious!).

I use url_rewrite_extras with "... sni=\"%ssl::>sni\" ..."
so the URL redirector receives both the original IP address and
the peeked SNI value to make its decisions.
I agree that an ICAP service needs X-SNI or perhaps X-Squid-SNI to
also get both the IP address and the SNI value.

> A similar question can be asked about SNI names containing unusual
> characters. At some point, it would be too dangerous to include SNI
> information in the fake CONNECT request because it will interfere with
> HTTP rules, but it is not clear where that point is exactly.

To support the weirdest apps Squid might have to simply copy all
unusual characters to present the same parameter values to the server.
But we do not want to break things... so which characters are
so unusual that Squid does not want to accept them?

Marcus

> Cheers,
>
> Alex.

More information about the squid-users mailing list