When negotiating SSL connections Squid 3.1 currently only matches the server name against the peer certificate's common name. Some X509 cert's use the subjectAltName extension which can specify a number of alternate DNS names for which the certificate is valid. Code to handle the subjectAltName extension is available in Squid 2.7 but has not been ported to 3.1. I'm not 100% sure if this is an oversight or if there is some outstanding security issue with honouring additional DNS names.
Here's a patch against Squid 3.1.0.16 that ports the subjectAltName handing code from Squid 2.7. Also available as a bzr branch @ lp:~brotchie/squid/ssl-subjectAltName-3.1 Cheers, James
squid-3.1.0.16-subjectAltName.patch
Description: Binary data
