[squid-dev] [PATCH] splicing resumed sessions

Alex Rousskov rousskov at measurement-factory.com
Thu Apr 9 04:25:04 UTC 2015


On 04/08/2015 07:13 PM, Amos Jeffries wrote:
> On 4/04/2015 9:17 a.m., Alex Rousskov wrote:
>> On 03/27/2015 05:58 AM, Amos Jeffries wrote:
>>> Indeed. Its the hostname vs SNI case we can check and SHOULD do so. The
>>> raw-IP ones we can skip the check. Some nasties will still get passed,
>>> but less than without any checks.
>>
>>
>> This is all outside this patch scope though, right?! Whether or not
>> Squid should compare peeked SNI with CONNECT hostname seems totally
>> unrelated to splicing of resumed sessions. If so, let's get this fix in
>> and [continue to] discuss what kind of additional checks to add to
>> SslBump separately.

> While I disagree that adding the security related checks after the fact
> is a good approach, I can live with it.

Great. If it is any comfort, this is not really "after the fact". The
two issues are orthogonal. One could add more checks before, after, or
even instead the fix proposed on this thread.


> The config directive does need to go though.

No objections.


> Christos said on IRC there were some issues after updating the patch. So
> I'm unsure if it will need another review before merge. If you want to
> make that call, I'll go with it.

Christos is in a better position to make that call than I am. Either way
is OK with me. Just do not want to delay this much further without a
good reason because there are several pending patches and fixes that
start to conflict with each other.


Thank you,

Alex.



More information about the squid-dev mailing list