[squid-users] Squid fails to bump where there are too many DNS names in SAN field

Ahmad, Sarfaraz Sarfaraz.Ahmad at deshaw.com
Mon Sep 3 07:34:31 UTC 2018


I am using Squid in an interception role with WCCP.
I am peeking at Step1 to read the SNI and determining whether to splice or bump.

That interception/MITM appears to fail where remote certificates from origin servers have way too many dnsnames in the SAN field.
I have noticed this behavior with at least these 2 websites. In both the cases, my setup would be bumping the connections. (Obviously otherwise we won't be having this problem with splicing.)


The RFC doesn't set an upper bound on the number of dnsnames you can set in the SAN field.
If I splice these domains/URLs, browsers don't complain either. So this seems local to Squid.

Points to note:

1)      Even though openssl s_client can connect/negotiate just fine, Squid doesn't.

2)      This is the behavior that I gather from a packet capture.

a.       My client (say a workstation XYZ) tried to connect to (That is https://www.extremetech.com)

b.       WCCP ships packet to the proxy over GRE tunnel and a TCP connection with the proxy acting as the origin server is established.

c.       XYZ sends ClientHello to the proxy.

d.       Squid starts conversing the origin server and sends a ClientHello.

e.       Origin server replies with ServerHello, ServerKeyExchange, Certificate packets, Squid just waits endlessly.

f.        The client, XYZ, ends up sending a FIN packet after ClientHello, since Squid doesn't revert back with a ServerHello.

I will have to file a bug ?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180903/428f25ab/attachment.html>

More information about the squid-users mailing list