On 4/04/2015 9:17 a.m., Alex Rousskov wrote: > On 03/27/2015 05:58 AM, Amos Jeffries wrote: >> Indeed. Its the hostname vs SNI case we can check and SHOULD do so. The >> raw-IP ones we can skip the check. Some nasties will still get passed, >> but less than without any checks. > > > This is all outside this patch scope though, right?! Whether or not > Squid should compare peeked SNI with CONNECT hostname seems totally > unrelated to splicing of resumed sessions. If so, let's get this fix in > and [continue to] discuss what kind of additional checks to add to > SslBump separately.
While I disagree that adding the security related checks after the fact is a good approach, I can live with it. The config directive does need to go though. Christos said on IRC there were some issues after updating the patch. So I'm unsure if it will need another review before merge. If you want to make that call, I'll go with it. Amos _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev