[squid-users] hostHeaderVerify with SNI in interception environments
Andreas Weigel
andreas.weigel at securepoint.de
Tue Sep 21 18:19:25 UTC 2021
Hi again,
> FWIW, Factory is (slowly) working on an SslBump refactoring project
> that may address this bug.
Thanks, I'll keep an eye on that.
Andreas
Zitat von Alex Rousskov <rousskov at measurement-factory.com>:
> On 9/21/21 10:14 AM, Andreas Weigel wrote:
>> Hi,
>>
>> sorry for the late response and the ambiguity in the initial post.
>>
>>> That fact is unrelated to the concern being raised in this thread
>>> AFAICT: The concern is _not_ whether Squid verifies the target of the
>>> SNI-based CONNECT during step3. The concern is whether Squid verifies
>>> the target of the SNI-based CONNECT at all.
>>
>> Exactly. If splicing in step2, the SNI is validated (DNS lookup,
>> comparing results with IP from client request). In that configuration,
>> hostHeaderVerify is called twice, once at step1 (without any hosts,
>> always passes) and once at step2 (with SNI, if present).
>>
>> If peeking in step2 and splicing in step3, the SNI is *not* validated in
>> step2 -- hostHeaderVerify is only called once without any hostname at
>> step1 in that case and that always passes.
>
> Glad we are on the same page. FWIW, Factory is (slowly) working on an
> SslBump refactoring project that may address this bug. I do not have a
> patch against official sources for you to try, but you can keep track of
> our progress at https://github.com/measurement-factory/squid/pull/108
>
>
> Cheers,
>
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list