[squid-dev] request for change handling hostStrictVerify

kk at sudo-i.net kk at sudo-i.net
Tue Oct 26 21:46:55 UTC 2021


Hi Guys!
Sorry I was unsure if this was the correct point of contact in regards to hostStrictVerify.

I think I am not the only one having issues with hostStrictVerify in scenarios where you just intercept traffic (tls) and squid checks the SNI if the IP address from the Client is the same as squid resolve it. The major issue in that approach is that many services today change their DNS records at a very high frequency, thus it's almost impossible to make sure that client and squid do have the same A record cached.

My Proposal to resolve this issue would be the following:
- Squid enforces the Client to use SNI! (currently, this is not done and can be considered as a security issue, because you can bypass any hostname rules)
- Squid lookup IP for SNI (DNS resolution).
- Squid forces the client to go to the resolved IP (and thus ignoring the IP which was provided in the L3 info from the client)

Any thoughts?


many thanks & have a nice day,

Kevin

-- 
Kevin Klopfenstein
sudo-i.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20211026/5623fc6b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5102 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20211026/5623fc6b/attachment.bin>


More information about the squid-dev mailing list