[squid-dev] Moving from Bump-Server-First to Bump/Peek/Splice

[Steve Hill]

On 12/09/15 10:13, Steve Hill wrote:

> I will need to test this more thoroughly, but I was testing using
> proxytunnel (to set up the CONNECT) and openssl (to do the actual ssl
> bit) and found that the CN was always identical to the contents of the
> CONNECT, even if the CONNECT was to an IP address rather than a host name.

I've got to the bottom of this one.  This doesn't seem to be documented, 
so I'm not sure if we just need to improve the documentation or if its 
actually a bug. :)

If you peek at step 1 and bump at step 2, everything works correctly - 
the CN, SAN, etc. from the original server certificate is copied into 
the forged certificate as expected (this is how the old server-first 
mode behaves).

If you bump at step 1, the forged certificate's CN is whatever 
hostname/IP was given in the CONNECT request.

There's certainly value in being able to forge a certificate without 
contacting the web server - i.e. generating error messages or 
redirecting people to a captive portal, so this seems like good 
functionality to keep, I just wasn't expecting it. :)

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: steve.vcf
Type: text/x-vcard
Size: 283 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150914/625dab82/attachment.vcf>