[squid-dev] Moving from Bump-Server-First to Bump/Peek/Splice

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 15 10:11:07 UTC 2015


On 15/09/2015 6:23 a.m., Alex Rousskov wrote:
> On 09/14/2015 10:53 AM, Steve Hill wrote:
> 
>> If you peek at step 1 and bump at step 2, everything works correctly -
>> the CN, SAN, etc. from the original server certificate is copied into
>> the forged certificate as expected
> 
> OK, that matches http://wiki.squid-cache.org/Features/SslPeekAndSplice
> 
> 
>> If you bump at step 1, the forged certificate's CN is whatever
>> hostname/IP was given in the CONNECT request.
> 
> 
> That may not match the above documentation. We claim that "bump"
> establishes "a secure connection with the server and, using a mimicked
> server certificate, with the client". I would expect the origin server
> CN in the forged certificate then. We should change the documentation if
> bumping at step #1 does (and should do) something else. Another bug
> report to file?
> 

Only if the origin server is responding with some other CN values than
is in the mimic'd certificate.

In this case Squid is supposed to be connecting to the CONNECT hostname
(as SNI) or raw-IP (with no SNI). If the server is echoing that back in
its cert somehow then of course that would be mimic'd regardless of what
any un-peeked client SNI says.

Amos



More information about the squid-dev mailing list