[squid-dev] [PATCH] Fast SNI peek

Eliezer Croitoru eliezer at ngtech.co.il
Tue May 17 19:37:22 UTC 2016


I will try to somehow schedule this test in some of my spare time after 
I will finish with couple other things.

Thanks,
Eliezer


On 16/05/2016 22:03, Alex Rousskov wrote:
> On 05/16/2016 01:51 AM, Eliezer Croitoru wrote:
>
>> I have a question about this specific file and SNI peek and splice in general.
> Your question is not specific to this patch/thread: AFAIK, the patch
> does not change whether/how Squid validates SNI.
>
>
>> For the scenario which the SNI declares www.google.com and the
>> destination IP address is not the domain, IE default apache or any
>> other domain. What happens? And specifically about the request
>> splicing? And in more detail my concern is that if some software will
>> fake the SNI knowing that the destination will never be the requested
>> one but some default of another domain, will the request be spliced
>> anyway?
> Sorry, I do not know the exact answers to your questions. Please note
> that the answers may depend on whether Squid intercepts or forwards
> connections and on the SslBump step during which Squid splices the
> connection. Researching this (and documenting any non-trivial answers on
> Squid wiki) would be useful.
>
>
> Cheers,
>
> Alex.
>



More information about the squid-dev mailing list