Hi Guys! Sorry I was unsure if this was the correct point of contact in regards to hostStrictVerify.
I think I am not the only one having issues with hostStrictVerify in scenarios where you just intercept traffic (tls) and squid checks the SNI if the IP address from the Client is the same as squid resolve it. The major issue in that approach is that many services today change their DNS records at a very high frequency, thus it's almost impossible to make sure that client and squid do have the same A record cached. My Proposal to resolve this issue would be the following: - Squid enforces the Client to use SNI! (currently, this is not done and can be considered as a security issue, because you can bypass any hostname rules) - Squid lookup IP for SNI (DNS resolution). - Squid forces the client to go to the resolved IP (and thus ignoring the IP which was provided in the L3 info from the client) Any thoughts? many thanks & have a nice day, Kevin -- Kevin Klopfenstein sudo-i.net
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
