[squid-users] Squid fails to bump where there are too many DNS names in SAN field

Ahmad, Sarfaraz Sarfaraz.Ahmad at deshaw.com
Mon Sep 3 07:34:31 UTC 2018


Hi,

I am using Squid in an interception role with WCCP.
I am peeking at Step1 to read the SNI and determining whether to splice or bump.

That interception/MITM appears to fail where remote certificates from origin servers have way too many dnsnames in the SAN field.
I have noticed this behavior with at least these 2 websites. In both the cases, my setup would be bumping the connections. (Obviously otherwise we won't be having this problem with splicing.)

https://www.pcmag.com/
https://www.extremetech.com/


The RFC doesn't set an upper bound on the number of dnsnames you can set in the SAN field.
If I splice these domains/URLs, browsers don't complain either. So this seems local to Squid.

Points to note:

1)      Even though openssl s_client can connect/negotiate just fine, Squid doesn't.

2)      This is the behavior that I gather from a packet capture.

a.       My client (say a workstation XYZ) tried to connect to 103.243.13.183:443 (That is https://www.extremetech.com)

b.       WCCP ships packet to the proxy over GRE tunnel and a TCP connection with the proxy acting as the origin server is established.

c.       XYZ sends ClientHello to the proxy.

d.       Squid starts conversing the origin server and sends a ClientHello.

e.       Origin server replies with ServerHello, ServerKeyExchange, Certificate packets, Squid just waits endlessly.

f.        The client, XYZ, ends up sending a FIN packet after ClientHello, since Squid doesn't revert back with a ServerHello.

I will have to file a bug ?

Regards,
Sarfaraz




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180903/428f25ab/attachment.html>


More information about the squid-users mailing list