On 26/05/17 22:08, Christos Tsantilas wrote:
This patch uses the the "--long-options" ACLs feature which posted to
squid-dev under the mailthread:
"PATCH] Adds support for --long-acl-options"
Patch description:
Many popular servers use certificates with several "alternative
subject names" (SubjectAltName). Many of those names are wildcards.
For example, a www.youtube.com certificate currently includes
*.google.com and 50+ other subject names, most of which are wildcards.
Often, admins want server_name to match any of the subject names. This
is useful to match any server belonging to a large conglomerate of
companies, all including some *.example.com name in their
certificates. The existing server_name functionality addresses this
use case well.
The new ACL options address several other important use cases:
--consensus allows matching a part of the conglomerate when the part's
subject name is included in certificates used by many other
conglomerate parts (e.g., matching Google but not Youtube).
So this ACL option somehow makes Squid aware of corporate ownership and
political structures and human-world business operations? er, no.
Thankfully the text you are adding to cf.data.pre does a better job of
explaining this option. Please use that text as commit message
description instead of the above confusing fuzz - if you have to at all,
having the docs as part of the patch makes it somewhat redundant to
describe in commit message.
--client-requested allows both (a) SNI-based matching even after Squid
obtains the server certificate and (b) pinpointing a particular server
in a group of different servers all using the same wildcard
certificate (e.g., matching appengine.example.com but not
www.example.com when the certificate for has *.example.com subject).
--server-provided allows matching only after Squid obtains the server
certificate and matches any of the conglomerate parts.
Also this patch fixes squid to log client SNI when client-first
bumping mode is used too.
This is a Measurement Factory project
in src/acl/ServerName.h:
* please only use questions to document pre-existing code that you are
not entirely sure of its behaviour, but where a guess is better than
nothing at all.
- I am referring of course to the "Ignore ... names?" questions.
in src/cf.data.pre:
* CONNECT handling is somewhat special because its URI is the authority,
the Host header is ignored. So mentioning it here is wrong.
- s/ target (a.k.a. Host header or URI) / target (a.k.a. URI) /
in src/ssl/ServerBump.h:
* "the SSL client SNI name" is both wrong and redundant.
- SSL clients cannot send SNI, only TLS clients can send TLS extensions.
- the 'N' in SNI is for name. So that text says "server name
indication name".
- "TLS client delivered SNI value. Empty string if none has been
received." would be more accurate documentation for this member.
+1 with that polishing. Thank you.
Amos
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
