[squid-users] hostHeaderVerify with SNI in interception environments

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 17 23:10:27 UTC 2021


On 18/09/21 8:14 am, Alex Rousskov wrote:
> On 9/17/21 3:29 PM, Andreas Weigel wrote:
> 
>> If splicing at step3, however, hostHeaderVerify is not called again with
>> the SNI
> 
> I assume that the above statement would still be true if I remove the
> word "again" from it. This is how I interpreted it (i.e.
> hostHeaderVerify() is called once with the IP address and never with SNI).
> 
> There are other ways to interpret that statement (e.g., hostHeaderVerify
> was called with SNI once, but you expected it to be called with SNI twice).
> 
> 
>> I was wondering if this could be considered a bug or if there is a
>> rationale to change the behavior in the "peek at step2, splice at step3"
>> scenario.
> 
> If my interpretation above is correct, then this sounds like a bug to
> me: Squid/hostHeaderVerify() must validate every request target value
> Squid intends to use for cache lookups and/or connecting. If the request
> target changes from IP to SNI, then Squid must validate exactly twice.
> 

AIUI, SSL-Bump step 3 does not need to verify because a) it uses the 
server connection setup at step 2, and b) the issue(s) checked for only 
apply to mismatch of names provided by clients vs dst-IP.


Amos


More information about the squid-users mailing list