Re: Server Name Indication for transparent https proxy
On 04/02/2012 11:05 PM, Henrik Nordström wrote: mån 2012-04-02 klockan 21:14 +0200 skrev Santiago Garcia Mantinan: The thing I'd like to do and I haven't seen how to do with current squid, is to allow transparent proxy of incoming https connections based on this Server Name Indication. Maybe I missed this and it is already implemented, but if this is not yet implemented I'd like to know if you'd like me to implement it and how would you like it to be implemented and on which squid code. I am not aware of any Squid implementation of SNI parsing to extract the requested host. Currently squid sets the SNI extension when connects to the remote SSL server. But it is not uses SNI for incomming SSL connections... Regards, Christos You are very welcome to try to implement SNI identification. Implementation is preferably done to Squid-3 bzr trunk, but it's OK to base changes on Squid-3.2 as well. This is closely related to sslbump and there have been significant changes to sslbump in 3.2.
Server Name Indication for transparent https proxy
Hi! I'm a long time squid user and I never found anything that I wanted to get from squid that wasn't already there, but it seems this time I found something missing and seems time to pay back ;-) Server Name Indication (SNI as some say) is an extension to ssl and tls https connections that was mainly written to allow web servers to serve secure sites on the same IP/Ports with different certificates, what it does is send the server name to connect to on client hello, so the server knows what certificate to present before getting into ssl/tls. It is descrived on rfc3546. The thing I'd like to do and I haven't seen how to do with current squid, is to allow transparent proxy of incoming https connections based on this Server Name Indication. Maybe I missed this and it is already implemented, but if this is not yet implemented I'd like to know if you'd like me to implement it and how would you like it to be implemented and on which squid code. I belive that's all for now, we can get to more details if you want me to do something regarding this. Regards... -- Manty/BestiaTester - http://manty.net
Re: Server Name Indication for transparent https proxy
mån 2012-04-02 klockan 21:14 +0200 skrev Santiago Garcia Mantinan: The thing I'd like to do and I haven't seen how to do with current squid, is to allow transparent proxy of incoming https connections based on this Server Name Indication. Maybe I missed this and it is already implemented, but if this is not yet implemented I'd like to know if you'd like me to implement it and how would you like it to be implemented and on which squid code. I am not aware of any Squid implementation of SNI parsing to extract the requested host. You are very welcome to try to implement SNI identification. Implementation is preferably done to Squid-3 bzr trunk, but it's OK to base changes on Squid-3.2 as well. This is closely related to sslbump and there have been significant changes to sslbump in 3.2.
Server Name Indication
Hi, do you plan to implement Server Name Indication into squid? I know the caveats of browser compatibility, but in a year or two, the percentage of people using FF1.x and IE6 will surely decrease. Best regards, Craig
Re: Server Name Indication
fre 2009-11-20 klockan 01:28 +0100 skrev Craig: do you plan to implement Server Name Indication into squid? I know the caveats of browser compatibility, but in a year or two, the percentage of people using FF1.x and IE6 will surely decrease. Getting SNI implemented is interesting to the project, but at this time there is no current developer actively looking into the problem. Squid is an community driven project. As such what features get implemented is very much dependent on what the community contributes to the project in terms of developer time. Regards Henrik
