[squid-dev] request for change handling hostStrictVerify
Steve Hill
steve at opendium.com
Thu Oct 28 16:17:04 UTC 2021
On 26/10/2021 22:46, kk at sudo-i.net wrote:
> - Squid enforces the Client to use SNI! (currently, this is not done and
> can be considered as a security issue, because you can bypass any
> hostname rules)
I don't think you can get away with requiring SNI everywhere. There is
still software in the wild which doesn't present an SNI.
Worse: there is software in the wild that presents an SNI that doesn't
have a matching DNS record! (I'm looking at you Apple).
However, you can probably change to an improved behaviour if there is an
SNI which resolves and matches the URI and Host: header, whilst still
supporting broken clients.
--
- Steve Hill
Technical Director | Cyfarwyddwr Technegol
Opendium Online Safety & Web Filtering http://www.opendium.com
Diogelwch Ar-Lein a Hidlo Gwefan
Enquiries | Ymholiadau: sales at opendium.com +44-1792-824568
Support | Cefnogi: support at opendium.com +44-1792-825748
------------------------------------------------------------------------
Opendium Limited is a company registered in England and Wales.
Mae Opendium Limited yn gwmni sydd wedi'i gofrestru yn Lloegr a Chymru.
Company No. | Rhif Cwmni: 5465437
Highfield House, 1 Brue Close, Bruton, Somerset, BA10 0HY, England.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: steve.vcf
Type: text/x-vcard
Size: 259 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20211028/5038e7f9/attachment.vcf>
More information about the squid-dev
mailing list