[squid-users] hostHeaderVerify with SNI in interception environments
Andreas Weigel
andreas.weigel at securepoint.de
Tue Sep 21 14:14:00 UTC 2021
Hi,
sorry for the late response and the ambiguity in the initial post.
> That fact is unrelated to the concern being raised in this thread
> AFAICT: The concern is _not_ whether Squid verifies the target of the
> SNI-based CONNECT during step3. The concern is whether Squid verifies
> the target of the SNI-based CONNECT at all.
Exactly. If splicing in step2, the SNI is validated (DNS lookup,
comparing results with IP from client request). In that configuration,
hostHeaderVerify is called twice, once at step1 (without any hosts,
always passes) and once at step2 (with SNI, if present).
If peeking in step2 and splicing in step3, the SNI is *not* validated
in step2 -- hostHeaderVerify is only called once without any hostname
at step1 in that case and that always passes.
Andreas
More information about the squid-users
mailing list