[squid-users] A patch for intercepted/WCCP HTTPS and 409 errors

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 11 12:34:59 UTC 2019

On 11/12/19 8:51 pm, Scott wrote:
> Hi,
> I understand that squid does some security checking that the SNI of an 
> intercepted/WCCP HTTPS requests matches the reverse DNS of the IP of the 
> connection.  Or something like that.

Not being able to say precisely what Squid is actually doing shows that
you are lacking understanding of the processes taking place.

The security check you are posting about has many secondary consequences
and side effects to be taken into account. Quite a few people have taken
a stab at solving these rejections and what we have in Squid right now
is the best that can be done without significant redesign work (which is
underway - just very slowly, help welcome).

This is why we have the squid-dev mailing list for code change
discussion. If you want to actually help solving false-positives in this
security check please post there and we who have been working on this
issue for 10+ years now can discuss what we know about the situation,
the "gotcha" side effects we have to avoid and ideas for improvement.

> However with the prevalence of CDNs and badly configured DNSs and geographic 
> DNSs, this breaks lots of connections (eg, I can't watch the NHL).
> I run Squid on a trusted network and use it primarily for caching and 
> logging, and so I while I need to run WCCP for some non-proxy capable 
> devices, I don't need that security check.

Without that check you cannot call your network a "secure network"
anymore. The absence of the check opens a nest of security holes for
attackers to walk right in past all those other protections.

> It stops all of those 409 errors occurring.
> Because of that I've created some patches that add a new option
> "host_verify_strict_intercepted" which is off by default.  They are
> for Squid 4.9.  As this is disabling a security feature of Squid do
> not apply this patch unless you are prepared for any and all consequences.

Please do not spread this around. People who want to really insist on
allowing virus/malware to spread unchecked around their networks can
make smaller patches.


More information about the squid-users mailing list