[squid-users] host_verify_strict and wildcard SNI
Yuri Voinov
yvoinov at gmail.com
Thu Jul 7 14:49:23 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
07.07.2016 19:59, Marcus Kool пишет:
>
>
> On 07/07/2016 10:49 AM, Yuri wrote:
>
>>>>>>>> A similar question can be asked about SNI names containing unusual
>>>>>>>> characters. At some point, it would be too dangerous to include SNI
>>>>>>>> information in the fake CONNECT request because it will
interfere with
>>>>>>>> HTTP rules, but it is not clear where that point is exactly.
>>>>>>>
>>>>>>> To support the weirdest apps Squid might have to simply copy all
>>>>>>> unusual characters to present the same parameter values to the
server.
>>>>>>
>>>>>> It is being mapped into the HTTP equivalent value. Which are Host:
>>>>>> header and authority-URI. Only valid FQDN names can make it
through the
>>>>>> mapping.
>>>>>
>>>>> Here things get complicated.
>>>>> It is correct that Squid enforces apps to follow standards or
>>>>> should Squid try to proxy connections for apps when it can?
>>>>
>>>> Squid isn't enforcing standards here. As Steve original messge says it:
>>>> "generates a "CONNECT *.example.com:443" request based on the
peeked SNI"
>>>> - which is arguably invalid HTTP syntax, but oh well.
>>>>
>>>> It then is unable to do a DNS lookup for *.example.com to find out what
>>>> its IPs are and does the error handling action for a failure to verify
>>>> on a CONNECT message.
>>>
>>> yes, the fake CONNECT is dealt with like a regular CONNECT including
>>> DNS lookup. I fear for other apps (besides the one ios app that Steve
>>> refers to) to break because Squid may connect to a different IP than
>>> the client/app is requesting.
>>> If Squid uses the original IP to connect without doing a DNS lookup,
>>> Steve's app will work and potential issues with other apps are
>>> prevented.
>
>> Interestingly, Marcus. Does this mean that the CDN may be at
different points in time different IP connection and it makes it
impossible for client connections through Squid?
>
> It all depends on the app/client: if it uses a servername/SNI that
> resolves to multiple IP addresses but needs to connect to the one
> that it specifically wants to CONNECT to, the app can fail since
> Squid might choose an other IP address to connect to.
>
> Or, apps might become slow since it might be faster when it reconnects
> to the same server that it connected to before.
> I think it is best to prevent issues and that Squid should connect
> to the IP that the client is trying to connect to.
I suggests, devs will say this is not secure. Client can be compromised
etc.etc.etc. :)
>
> Marcus
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXfmvzAAoJENNXIZxhPexGQwMIALkYjQH8ke4R44oINkzQfqGR
j5VtmMRfSlcYn82Xe7D4UzkjcGytYDiJJg+0VTsVgPxphgAcKXDP/Tx3lxTpP09e
8w3pmTU5TmgYUNvuZqheSn+Zhsp4lLUN0rj2VwIZZPueMWA6Ypre7YC7vRscEluj
h9p3ZA6LTmj7NpSehWcxPKDxQdJ5HEIMRjzOyXWMJRvjwYU9s55xKYfHy5ZjSGV4
bF87d8Tg746sh+jcje6BpJBKOVNp8ImyxfjI6eFSVAjBsUpeZPa3yb2uq1LunZi1
t50q1C0P93FcqC8SipPcIM/azDEu08VrByG01x12zjgRqMVuIeMkMcvJOT3WVKY=
=0ect
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160707/9a7c2f35/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160707/9a7c2f35/attachment.key>
More information about the squid-users
mailing list