[squid-users] Splice certain SNIs which served by the same IP
Amos Jeffries
squid3 at treenet.co.nz
Tue Feb 22 14:31:44 UTC 2022
On 23/02/22 01:05, Ben Goz wrote:
> By the help of God.
>
> If I'm using the self signed certificate that I created for the ssl
> bump, then the browser considers it as the same certificate for any
> domain I'm connecting to?
>
Key thing to remember is that TLS server certificate validates the
*server*, not the URL domain name.
HTTP/2 brings the feature of alternate server names. So once connected
and talking, a server can tell the client a bunch of other domains that
can be fetched from it.
Since you are using SSL-Bump "splice" to setup the connection Squid has
no control or interaction over what the server and client tell each
other within that connection.
HTH
Amos
More information about the squid-users
mailing list