[squid-dev] [PATCH] ssl::server_name options to control matching logic.
Christos Tsantilas
christos at chtsanti.net
Fri May 26 10:08:56 UTC 2017
This patch uses the the "--long-options" ACLs feature which posted to
squid-dev under the mailthread:
"PATCH] Adds support for --long-acl-options"
Patch description:
Many popular servers use certificates with several "alternative subject
names" (SubjectAltName). Many of those names are wildcards. For example,
a www.youtube.com certificate currently includes *.google.com and 50+
other subject names, most of which are wildcards.
Often, admins want server_name to match any of the subject names. This
is useful to match any server belonging to a large conglomerate of
companies, all including some *.example.com name in their certificates.
The existing server_name functionality addresses this use case well.
The new ACL options address several other important use cases:
--consensus allows matching a part of the conglomerate when the part's
subject name is included in certificates used by many other conglomerate
parts (e.g., matching Google but not Youtube).
--client-requested allows both (a) SNI-based matching even after Squid
obtains the server certificate and (b) pinpointing a particular server
in a group of different servers all using the same wildcard certificate
(e.g., matching appengine.example.com but not www.example.com when the
certificate for has *.example.com subject).
--server-provided allows matching only after Squid obtains the server
certificate and matches any of the conglomerate parts.
Also this patch fixes squid to log client SNI when client-first bumping
mode is used too.
This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-249-servername-options-squid5-t7.patch
Type: text/x-patch
Size: 24162 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170526/dccd493f/attachment.bin>
More information about the squid-dev
mailing list