On 03/27/2015 05:58 AM, Amos Jeffries wrote: > Indeed. Its the hostname vs SNI case we can check and SHOULD do so. The > raw-IP ones we can skip the check. Some nasties will still get passed, > but less than without any checks.
This is all outside this patch scope though, right?! Whether or not Squid should compare peeked SNI with CONNECT hostname seems totally unrelated to splicing of resumed sessions. If so, let's get this fix in and [continue to] discuss what kind of additional checks to add to SslBump separately. Thank you, Alex. _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev