[squid-dev] [PATCH] ssl::server_name ACL badly broken since inception (trunk r14008).

Alex Rousskov rousskov at measurement-factory.com
Wed Nov 9 15:24:02 UTC 2016


On 10/28/2016 02:39 AM, Christos Tsantilas wrote:

> I am attaching the squid-3.5 version of the patch.

Amos, will you commit this fix to the v3.5 branch?


Thank you,

Alex.


> On 10/27/2016 12:46 AM, Amos Jeffries wrote:
>> On 21/10/2016 5:18 a.m., Christos Tsantilas wrote:
>>>
>>> The original server_name code mishandled all SNI checks and some rare
>>> host checks:
>>>
>>> * The SNI-derived value was pointing to an already freed memory storage.
>>> * Missing host-derived values were not detected (host() is never nil).
>>> * Mismatches were re-checked with an undocumented "none" value instead
>>> of being treated as mismatches.
>>>
>>> Same for ssl::server_name_regex.
>>>
>>> Also set SNI for more server-first and client-first transactions.
>>>
>>> This is a Measurement Factory project.
>>>
>>
>> +1.
>>
>> Amos



More information about the squid-dev mailing list