[squid-users] host_verify_strict and wildcard SNI

[Steve Hill]

On 07/07/16 12:30, Marcus Kool wrote:

> Here things get complicated.
> It is correct that Squid enforces apps to follow standards or
> should Squid try to proxy connections for apps when it can?

I would say no: where it is possible for Squid to allow an app to work, 
even where it isn't following standards (without compromising security / 
other software / etc.) then Squid needs to try to make the app work.

Unfortunately, end users do not understand the complexities, and if an 
app works on their home internet connection and doesn't work through 
their school / office connection (which is router through Squid) then as 
far as they are concerned the school / office connection is "broken", 
even if the problem is actually a broken app.

This is made worse by (1) the perception that big businesses such as 
Microsoft / Apple / Google can never be wrong (even though this is not 
born our by experience of their software), and (2) the fact that app 
developers rarely seem at all interested in acknowledging/fixing such 
bugs (in my experience).

So in the end you have a choice: live with people accusing Squid of 
being "broken" and refuse to allow applications that will never be fixed 
to work, or work around the broken apps within Squid and therefore get 
them working without the cooperation of the app developers.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com