[squid-dev] Introduction / SslBump prototype patch to ignore unknown ciphers
Alex Rousskov
rousskov at measurement-factory.com
Wed May 17 22:39:27 UTC 2017
On 05/17/2017 03:18 PM, David Hogan wrote:
> I found that applying a blacklist at step3 resulted in too many false positives
> caused by subjectAltName matches.
Factory is working on a patch to address that problem.
> I am hoping separately to figure
> out how to match missing SNI and terminate, either by acl config or a patch.
The above-mentioned patch might allow for matching missing SNIs as well
(as a side effect of other changes), but I am not sure. If it does not,
the infrastructure introduced by that patch would make it easier to
properly add such a feature. Or you can just hard-code a check in your
personal Squid, of course.
> are you saying that the OpenSSL validation code could be used directly,
> rather than having OpenSSL think it's doing a real handshake?
Yes, of course. For example, the "openssl verify" command line tool does
not do handshakes.
HTH,
Alex.
More information about the squid-dev
mailing list