-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote: > Hello Amos. > > Thank you for answer. > > There was made an investigation related to squid's peek and splice > issues in transparent mode. One-line explanation is as follows - in > intercept mode squid can't get a server host name from the request > header and uses clent IP address instead for both fake cert > generation and as a SNI record in server bump SSL handshaking. This > is the root of the problem. However this can be fixed if squid uses > SNI field taken from client TLS Hello message for that purposes. > Can you hack squid in this way? What do you think?
I think peek-n-splice is supposed to already be doing that. However it does depend on whether you are bumping the connection at step 1 (before ClientHello), step 2 (after ClientHello, before ServerHello), or step 3 (after both ClientHello and ServerHello) of the TLS handshake whether the SNI details are present. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPwpHP vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2RoZ5 7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjudMV 8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf3 q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxUM= =44aG -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users