-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:
> Hello Amos.
> 
> Thank you for answer.
> 
> There was made an investigation related to squid's peek and splice 
> issues in transparent mode. One-line explanation is as follows - in
> intercept mode squid can't get a server host name from the request
> header and uses clent IP address instead for both fake cert
> generation and as a SNI record in server bump SSL handshaking. This
> is the root of the problem. However this can be fixed if squid uses
> SNI field taken from client TLS Hello message for that purposes.
> Can you hack squid in this way? What do you think?

I think peek-n-splice is supposed to already be doing that.

However it does depend on whether you are bumping the connection at
step 1 (before ClientHello), step 2 (after ClientHello, before
ServerHello), or step 3 (after both ClientHello and ServerHello) of
the TLS handshake whether the SNI details are present.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPwpHP
vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2RoZ5
7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjudMV
8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf3
q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxUM=
=44aG
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to