[squid-users] Squid fails to bump where there are too many DNS names in SAN field
Ahmad, Sarfaraz
Sarfaraz.Ahmad at deshaw.com
Mon Sep 3 07:34:31 UTC 2018
Hi,
I am using Squid in an interception role with WCCP.
I am peeking at Step1 to read the SNI and determining whether to splice or bump.
That interception/MITM appears to fail where remote certificates from origin servers have way too many dnsnames in the SAN field.
I have noticed this behavior with at least these 2 websites. In both the cases, my setup would be bumping the connections. (Obviously otherwise we won't be having this problem with splicing.)
https://www.pcmag.com/
https://www.extremetech.com/
The RFC doesn't set an upper bound on the number of dnsnames you can set in the SAN field.
If I splice these domains/URLs, browsers don't complain either. So this seems local to Squid.
Points to note:
1) Even though openssl s_client can connect/negotiate just fine, Squid doesn't.
2) This is the behavior that I gather from a packet capture.
a. My client (say a workstation XYZ) tried to connect to 103.243.13.183:443 (That is https://www.extremetech.com)
b. WCCP ships packet to the proxy over GRE tunnel and a TCP connection with the proxy acting as the origin server is established.
c. XYZ sends ClientHello to the proxy.
d. Squid starts conversing the origin server and sends a ClientHello.
e. Origin server replies with ServerHello, ServerKeyExchange, Certificate packets, Squid just waits endlessly.
f. The client, XYZ, ends up sending a FIN packet after ClientHello, since Squid doesn't revert back with a ServerHello.
I will have to file a bug ?
Regards,
Sarfaraz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180903/428f25ab/attachment.html>
More information about the squid-users
mailing list