[squid-users] host_verify_strict and wildcard SNI
Steve Hill
steve at opendium.com
Wed Jul 6 14:36:25 UTC 2016
I'm using a transparent proxy and SSL-peek and have hit a problem with
an iOS app which seems to be doing broken things with the SNI.
The app is making an HTTPS connection to a server and presenting an SNI
with a wildcard in it - i.e. "*.example.com". I'm not sure if this
behaviour is actually illegal, but it certainly doesn't seem to make a
lot of sense to me.
Squid then internally generates a "CONNECT *.example.com:443" request
based on the peeked SNI, which is picked up by hostHeaderIpVerify().
Since *.example.com isn't a valid DNS name, Squid rejects the connection
on the basis that *.example.com doesn't match the IP address that the
client is connecting to.
Unfortunately, I can't see any way of working around the problem -
"host_verify_strict" is disabled, but according to the docs,
"For now suspicious intercepted CONNECT requests are always responded to
with an HTTP 409 (Conflict) error page."
As I understand it, turning host_verify_strict on causes problems with
CDNs which use DNS tricks for load balancing, so I'm not sure I
understand the rationale behind preventing it from being turned off for
CONNECT requests?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve at opendium.com
Email: steve at opendium.com
Phone: sip:steve at opendium.com
Sales / enquiries contacts:
Email: sales at opendium.com
Phone: +44-1792-824568 / sip:sales at opendium.com
Support contacts:
Email: support at opendium.com
Phone: +44-1792-825748 / sip:support at opendium.com
More information about the squid-users
mailing list