[squid-users] hostHeaderVerify with SNI in interception environments

Alex Rousskov rousskov at measurement-factory.com
Tue Sep 21 15:27:16 UTC 2021


On 9/21/21 10:14 AM, Andreas Weigel wrote:
> Hi,
> 
> sorry for the late response and the ambiguity in the initial post.
> 
>> That fact is unrelated to the concern being raised in this thread
>> AFAICT: The concern is _not_ whether Squid verifies the target of the
>> SNI-based CONNECT during step3. The concern is whether Squid verifies
>> the target of the SNI-based CONNECT at all.
> 
> Exactly. If splicing in step2, the SNI is validated (DNS lookup,
> comparing results with IP from client request). In that configuration,
> hostHeaderVerify is called twice, once at step1 (without any hosts,
> always passes) and once at step2 (with SNI, if present).
> 
> If peeking in step2 and splicing in step3, the SNI is *not* validated in
> step2 -- hostHeaderVerify is only called once without any hostname at
> step1 in that case and that always passes.

Glad we are on the same page. FWIW, Factory is (slowly) working on an
SslBump refactoring project that may address this bug. I do not have a
patch against official sources for you to try, but you can keep track of
our progress at https://github.com/measurement-factory/squid/pull/108


Cheers,

Alex.


More information about the squid-users mailing list