On 12/09/15 10:13, Steve Hill wrote:
I will need to test this more thoroughly, but I was testing using proxytunnel (to set up the CONNECT) and openssl (to do the actual ssl bit) and found that the CN was always identical to the contents of the CONNECT, even if the CONNECT was to an IP address rather than a host name.
I've got to the bottom of this one. This doesn't seem to be documented, so I'm not sure if we just need to improve the documentation or if its actually a bug. :)
If you peek at step 1 and bump at step 2, everything works correctly - the CN, SAN, etc. from the original server certificate is copied into the forged certificate as expected (this is how the old server-first mode behaves).
If you bump at step 1, the forged certificate's CN is whatever hostname/IP was given in the CONNECT request.
There's certainly value in being able to forge a certificate without contacting the web server - i.e. generating error messages or redirecting people to a captive portal, so this seems like good functionality to keep, I just wasn't expecting it. :)
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:[email protected] Email: [email protected] Phone: sip:[email protected] Sales / enquiries contacts: Email: [email protected] Phone: +44-1792-824568 / sip:[email protected] Support contacts: Email: [email protected] Phone: +44-1792-825748 / sip:[email protected]
<<attachment: steve.vcf>>
_______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
