[squid-dev] [PATCH] splicing resumed sessions

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 9 01:13:45 UTC 2015


On 4/04/2015 9:17 a.m., Alex Rousskov wrote:
> On 03/27/2015 05:58 AM, Amos Jeffries wrote:
>> Indeed. Its the hostname vs SNI case we can check and SHOULD do so. The
>> raw-IP ones we can skip the check. Some nasties will still get passed,
>> but less than without any checks.
> 
> 
> This is all outside this patch scope though, right?! Whether or not
> Squid should compare peeked SNI with CONNECT hostname seems totally
> unrelated to splicing of resumed sessions. If so, let's get this fix in
> and [continue to] discuss what kind of additional checks to add to
> SslBump separately.

While I disagree that adding the security related checks after the fact
is a good approach, I can live with it. The config directive does need
to go though.

Christos said on IRC there were some issues after updating the patch. So
I'm unsure if it will need another review before merge. If you want to
make that call, I'll go with it.

Amos



More information about the squid-dev mailing list