[squid-dev] [PATCH] splicing resumed sessions

Alex Rousskov rousskov at measurement-factory.com
Fri Apr 3 20:17:34 UTC 2015


On 03/27/2015 05:58 AM, Amos Jeffries wrote:
> Indeed. Its the hostname vs SNI case we can check and SHOULD do so. The
> raw-IP ones we can skip the check. Some nasties will still get passed,
> but less than without any checks.


This is all outside this patch scope though, right?! Whether or not
Squid should compare peeked SNI with CONNECT hostname seems totally
unrelated to splicing of resumed sessions. If so, let's get this fix in
and [continue to] discuss what kind of additional checks to add to
SslBump separately.


Thank you,

Alex.



More information about the squid-dev mailing list