[squid-users] host_verify_strict and wildcard SNI
Amos Jeffries
squid3 at treenet.co.nz
Thu Jul 7 20:01:30 UTC 2016
On 8/07/2016 5:05 a.m., Alex Rousskov wrote:
> On 07/07/2016 10:41 AM, Steve Hill wrote:
>> Realistically, shouldn't the SNI reflect the DNS request that was made
>> to find the IP of the server you're connecting to? You would never make
>> a DNS request for '*.example.com' so I don't see a reason why you would
>> send an SNI that has a larger scope than the DNS request you made.
>
> My DNS request was for coordinator.example.com. Since I wrote both sides
> of the software, I know that the SSL server on that hostname will direct
> me to the "best" internal *.service.example.com if I ask it to do that
> by sending a wildcard SNI. That "SSL routing" will be based on some
> internal business logic unavailable to the DNS resolver.
>
> Is this design a good idea? No.
>
> Is this bad idea "realistic"? Evidently, it is.
>
Not really though. It depends on bugs in the receiving server software.
So even if it worked yesterday without a TLS proxy, it broke when the
server side of things changed.
Amos
More information about the squid-users
mailing list