On 05/17/2017 03:18 PM, David Hogan wrote: > I found that applying a blacklist at step3 resulted in too many false > positives > caused by subjectAltName matches.
Factory is working on a patch to address that problem. > I am hoping separately to figure > out how to match missing SNI and terminate, either by acl config or a patch. The above-mentioned patch might allow for matching missing SNIs as well (as a side effect of other changes), but I am not sure. If it does not, the infrastructure introduced by that patch would make it easier to properly add such a feature. Or you can just hard-code a check in your personal Squid, of course. > are you saying that the OpenSSL validation code could be used directly, > rather than having OpenSSL think it's doing a real handshake? Yes, of course. For example, the "openssl verify" command line tool does not do handshakes. HTH, Alex. _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
