[squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25

[Yuri]

This irrelevant to host_verify_strict. This is effect of server side CDN
IP changes. Squid threats it as security alert.

08.02.2018 00:03, steveno пишет:
> I was using squid 3.5.20 I encountered an issue running out of File
> Descriptors on Centos7, the scebario was that sockets would be abandoned in
> a "CLOSE_WAIT" state forever until the server ran out of FD's.
> Searching I found the following BUG. 
> https://bugs.squid-cache.org/show_bug.cgi?id=4508
> This is listed as being a fix at 3.5.25, so I installed that version, once
> installed the FD problem seemed to be resolved, but now there is another
> issue "Default Value:	host_verify_strict off" seems to be lost, in my access
> logs I get an number of entries:
> 2018-02-07 17:10:42      0 10.x.x.x TAG_NONE/409 3941 CONNECT
> sqs.us-west-2.amazonaws.com:443 sqs.us-west-2.amazonaws.com HIER_NONE/-
> text/html
>
> Cache logs I get:
> 2018/02/07 17:57:45 kid1| SECURITY ALERT: on URL:
> sqs.us-west-2.amazonaws.com:443
>
> And the clients making those requests tend to see dropped connections with a
> "SSL: UNKNOWN_PROTOCOL" error.
>
> I tried setting the value "host_verify_strict off" but it did not appear to
> have any effect.
>
> It looks like this fix for the File Descriptors has broken something else.
>
> Thanks.
>
> Steven Oakley.
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*****************************
* C++20 : Bug to the future *
*****************************


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180208/a6faa587/attachment.sig>