<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
<br>
<br>
07.07.2016 19:59, Marcus Kool пишет:<br>
<span style="white-space: pre;">><br>
><br>
> On 07/07/2016 10:49 AM, Yuri wrote:<br>
><br>
>>>>>>>> A similar question can be asked
about SNI names containing unusual<br>
>>>>>>>> characters. At some point, it
would be too dangerous to include SNI<br>
>>>>>>>> information in the fake CONNECT
request because it will interfere with<br>
>>>>>>>> HTTP rules, but it is not clear
where that point is exactly.<br>
>>>>>>><br>
>>>>>>> To support the weirdest apps Squid
might have to simply copy all<br>
>>>>>>> unusual characters to present the
same parameter values to the server.<br>
>>>>>><br>
>>>>>> It is being mapped into the HTTP
equivalent value. Which are Host:<br>
>>>>>> header and authority-URI. Only valid FQDN
names can make it through the<br>
>>>>>> mapping.<br>
>>>>><br>
>>>>> Here things get complicated.<br>
>>>>> It is correct that Squid enforces apps to
follow standards or<br>
>>>>> should Squid try to proxy connections for
apps when it can?<br>
>>>><br>
>>>> Squid isn't enforcing standards here. As Steve
original messge says it:<br>
>>>> "generates a "CONNECT *.example.com:443" request
based on the peeked SNI"<br>
>>>> - which is arguably invalid HTTP syntax, but oh
well.<br>
>>>><br>
>>>> It then is unable to do a DNS lookup for
*.example.com to find out what<br>
>>>> its IPs are and does the error handling action
for a failure to verify<br>
>>>> on a CONNECT message.<br>
>>><br>
>>> yes, the fake CONNECT is dealt with like a regular
CONNECT including<br>
>>> DNS lookup. I fear for other apps (besides the one
ios app that Steve<br>
>>> refers to) to break because Squid may connect to a
different IP than<br>
>>> the client/app is requesting.<br>
>>> If Squid uses the original IP to connect without
doing a DNS lookup,<br>
>>> Steve's app will work and potential issues with other
apps are<br>
>>> prevented.<br>
><br>
>> Interestingly, Marcus. Does this mean that the CDN may be
at different points in time different IP connection and it makes
it impossible for client connections through Squid?<br>
><br>
> It all depends on the app/client: if it uses a servername/SNI
that<br>
> resolves to multiple IP addresses but needs to connect to the
one<br>
> that it specifically wants to CONNECT to, the app can fail
since<br>
> Squid might choose an other IP address to connect to.<br>
><br>
> Or, apps might become slow since it might be faster when it
reconnects<br>
> to the same server that it connected to before.<br>
> I think it is best to prevent issues and that Squid should
connect<br>
> to the IP that the client is trying to connect to.</span><br>
I suggests, devs will say this is not secure. Client can be
compromised etc.etc.etc. :)<br>
<span style="white-space: pre;">><br>
> Marcus<br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJXfmvzAAoJENNXIZxhPexGQwMIALkYjQH8ke4R44oINkzQfqGR
<br>
j5VtmMRfSlcYn82Xe7D4UzkjcGytYDiJJg+0VTsVgPxphgAcKXDP/Tx3lxTpP09e
<br>
8w3pmTU5TmgYUNvuZqheSn+Zhsp4lLUN0rj2VwIZZPueMWA6Ypre7YC7vRscEluj
<br>
h9p3ZA6LTmj7NpSehWcxPKDxQdJ5HEIMRjzOyXWMJRvjwYU9s55xKYfHy5ZjSGV4
<br>
bF87d8Tg746sh+jcje6BpJBKOVNp8ImyxfjI6eFSVAjBsUpeZPa3yb2uq1LunZi1
<br>
t50q1C0P93FcqC8SipPcIM/azDEu08VrByG01x12zjgRqMVuIeMkMcvJOT3WVKY=
<br>
=0ect
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>