[squid-users] ssl_bump and SNI

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 3 15:05:36 UTC 2015


On 4/06/2015 2:27 a.m., sp_ wrote:
> Hello Nathan,
> 
> thank you for an example.
> 
> What version of squid are you running?
> Mine is:
> 
> 
> I've tried to apply the config you've posted, but with no luck. Squid can't
> get the domain:
> 
> 

Well, its not a simple situation. Lets start with clarifying some of the
details...

 SNI is a relatively new feature of TLS. There is no guarantee of a
domain name actually existing in the bumped (step1) metadata.

So, Squid may have to do a peek at step2 to get the server cert details
before it has any clue about what domain *might* be.

Also that means the %ssl::>sni helper format token depended on with the
ACL helper approach will be "-" for these requests.

To resolve that use the new (in squid-3.5.4) ssl::server_name ACL
instead. Which checks against the CONNECT hostname (if any) at step1+,
SNI domain (if any) at step2+, and server cert domain at step3.

Amos



More information about the squid-users mailing list