[squid-users] The status of AIA ie: TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ?
Marcus Kool
marcus.kool at urlfilterdb.com
Sat Feb 5 18:25:43 UTC 2022
>> I would have expected that the remote host ip:port and sni would be logged
>> as well in the above mentioned line.
>>
>
> SNI is one of the details TLS/1.3 encrypts now :(
To prevent misunderstandings, TLS 1.3 does not encrypt the SNI.
See https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni :
Although TLS 1.3 [RFC8446 <https://datatracker.ietf.org/doc/html/rfc8446>] encrypts most of the handshake, including
the server certificate, there are several ways in which an on-path
attacker can learn private information about the connection. The
plaintext Server Name Indication (SNI) extension in ClientHello
messages, which leaks the target domain for a given connection, is
perhaps the most sensitive, unencrypted information in TLS 1.3.
However, there is an optional TLS 1.3 extension that may encrypt the SNI and refers to it as ESNI.
Marcus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220205/f818199f/attachment.htm>
More information about the squid-users
mailing list