[squid-users] host_verify_strict and wildcard SNI
Alex Rousskov
rousskov at measurement-factory.com
Thu Jul 7 17:05:50 UTC 2016
On 07/07/2016 10:41 AM, Steve Hill wrote:
> Realistically, shouldn't the SNI reflect the DNS request that was made
> to find the IP of the server you're connecting to? You would never make
> a DNS request for '*.example.com' so I don't see a reason why you would
> send an SNI that has a larger scope than the DNS request you made.
My DNS request was for coordinator.example.com. Since I wrote both sides
of the software, I know that the SSL server on that hostname will direct
me to the "best" internal *.service.example.com if I ask it to do that
by sending a wildcard SNI. That "SSL routing" will be based on some
internal business logic unavailable to the DNS resolver.
Is this design a good idea? No.
Is this bad idea "realistic"? Evidently, it is.
Alex.
More information about the squid-users
mailing list