On 07/07/16 12:30, Marcus Kool wrote:
Here things get complicated.
It is correct that Squid enforces apps to follow standards or
should Squid try to proxy connections for apps when it can?
I would say no: where it is possible for Squid to allow an app to work,
even where it isn't following st
On 07/07/2016 01:53 PM, Amos Jeffries wrote:
> On 8/07/2016 4:50 a.m., Alex Rousskov wrote:
>> On 07/07/2016 06:23 AM, Amos Jeffries wrote:
>>> On 7/07/2016 11:30 p.m., Marcus Kool wrote:
>> On 07/06/2016 10:07 PM, Alex Rousskov wrote:
>>> Q3. What should Squid do when receiving a wildcard
ru; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] host_verify_strict and wildcard SNI
On 07/07/2016 01:37 AM, Eliezer Croitoru wrote:
> Maybe the future will bring the wildcard into the DNS world
FYI: Wildcards have been in DNS world since before RFC 1035 dated 1987:
>- Th
On 8/07/2016 5:05 a.m., Alex Rousskov wrote:
> On 07/07/2016 10:41 AM, Steve Hill wrote:
>> Realistically, shouldn't the SNI reflect the DNS request that was made
>> to find the IP of the server you're connecting to? You would never make
>> a DNS request for '*.example.com' so I don't see a reason
On 8/07/2016 4:50 a.m., Alex Rousskov wrote:
> On 07/07/2016 06:23 AM, Amos Jeffries wrote:
>> On 7/07/2016 11:30 p.m., Marcus Kool wrote:
> On 07/06/2016 10:07 PM, Alex Rousskov wrote:
>> Q3. What should Squid do when receiving a wildcard SNI?
>
>>> Squid _has_ the original IP so why woul
On 07/07/2016 10:41 AM, Steve Hill wrote:
> Realistically, shouldn't the SNI reflect the DNS request that was made
> to find the IP of the server you're connecting to? You would never make
> a DNS request for '*.example.com' so I don't see a reason why you would
> send an SNI that has a larger sco
On 07/07/2016 06:23 AM, Amos Jeffries wrote:
> On 7/07/2016 11:30 p.m., Marcus Kool wrote:
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
> Q3. What should Squid do when receiving a wildcard SNI?
>> Squid _has_ the original IP so why would Squid potentially connect to an
>> other IP ?
> Be
On 07/07/16 02:07, Alex Rousskov wrote:
Q1. Is wildcard SNI "legal/valid"?
I do not know the answer to that question. The "*.example.com" name is
certainly legal in many DNS contexts. RFC 6066 requires HostName SNI to
be a "fully qualified domain name", but I failed to find a strict-enough
RFC
On 06/07/16 20:54, Eliezer Croitoru wrote:
There are other options of course but the first thing to check is if the client
is a real browser or some special creature that tries it's luck with a special
form of ssl.
In this case it isn't a real web browser - it's an iOS app, and the
vendor h
On 07/07/2016 01:37 AM, Eliezer Croitoru wrote:
> Maybe the future will bring the wildcard into the DNS world
FYI: Wildcards have been in DNS world since before RFC 1035 dated 1987:
>- The results of standard queries where the QNAME contains "*"
> labels if the data might be used to con
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
07.07.2016 19:59, Marcus Kool пишет:
>
>
> On 07/07/2016 10:49 AM, Yuri wrote:
>
A similar question can be asked about SNI names containing unusual
characters. At some point, it would be too dangerous to include SNI
inf
On 07/07/2016 10:49 AM, Yuri wrote:
A similar question can be asked about SNI names containing unusual
characters. At some point, it would be too dangerous to include SNI
information in the fake CONNECT request because it will interfere with
HTTP rules, but it is not clear where that point is
07.07.2016 19:08, Marcus Kool пишет:
On 07/07/2016 09:23 AM, Amos Jeffries wrote:
On 7/07/2016 11:30 p.m., Marcus Kool wrote:
On 07/07/2016 07:15 AM, Amos Jeffries wrote:
On 7/07/2016 1:55 p.m., Marcus Kool wrote:
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, M
On 07/07/2016 09:23 AM, Amos Jeffries wrote:
On 7/07/2016 11:30 p.m., Marcus Kool wrote:
On 07/07/2016 07:15 AM, Amos Jeffries wrote:
On 7/07/2016 1:55 p.m., Marcus Kool wrote:
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
On 07/06/2016 11:36 A
On 7/07/2016 11:30 p.m., Marcus Kool wrote:
>
>
> On 07/07/2016 07:15 AM, Amos Jeffries wrote:
>> On 7/07/2016 1:55 p.m., Marcus Kool wrote:
>>>
>>>
>>> On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
> On 07/06/2016 11:36 AM, Steve Hill wrote:
>>>
On 07/07/2016 07:15 AM, Amos Jeffries wrote:
On 7/07/2016 1:55 p.m., Marcus Kool wrote:
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem with
On 7/07/2016 1:55 p.m., Marcus Kool wrote:
>
>
> On 07/06/2016 10:07 PM, Alex Rousskov wrote:
>> On 07/06/2016 05:01 PM, Marcus Kool wrote:
>>> On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem with
an iOS app which seems to be d
om: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf
Of Alex Rousskov
Sent: Thursday, July 7, 2016 4:07 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] host_verify_strict and wildcard SNI
On 07/06/2016 05:01 PM, Marcus Kool wrote:
> On 07/06/2016 11:36 AM
On 07/06/2016 10:07 PM, Alex Rousskov wrote:
On 07/06/2016 05:01 PM, Marcus Kool wrote:
On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem with
an iOS app which seems to be doing broken things with the SNI.
The app is making an HTTPS c
On 07/06/2016 05:01 PM, Marcus Kool wrote:
> On 07/06/2016 11:36 AM, Steve Hill wrote:
>> I'm using a transparent proxy and SSL-peek and have hit a problem with
>> an iOS app which seems to be doing broken things with the SNI.
>>
>> The app is making an HTTPS connection to a server and presenting a
On 07/06/2016 11:36 AM, Steve Hill wrote:
I'm using a transparent proxy and SSL-peek and have hit a problem with an iOS
app which seems to be doing broken things with the SNI.
The app is making an HTTPS connection to a server and presenting an SNI with a wildcard
in it - i.e. "*.example.com
ubject: Re: [squid-users] host_verify_strict and wildcard SNI
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I am very seriously concerned about the issue CDN, because every day I discover
more and more problematic sites, namely in connection with the CDN and HTTPS.
For more than four
person who hold the keys for them.
>
> Eliezer
>
>
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> From: Yuri Voinov [mailto:yvoi...@gmail.com]
> Sent: Wednesday, Jul
inux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il
From: Yuri Voinov [mailto:yvoi...@gmail.com]
Sent: Wednesday, July 6, 2016 11:15 PM
To: Eliezer Croitoru; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] host_verify_strict and wildcard SNI
-BEGIN PGP SIG
System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
On Behalf Of Yuri Voinov
> Sent: Wednesday, July 6, 2016 10:43 PM
> To: squid-users@lists.squid-ca
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] host_verify_strict and wildcard SNI
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sounds familiar.
Do you experience occasional problems with CloudFlare sites?
06.07.2016 20:36, Steve Hill пишет:
>
> I'm using a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sounds familiar.
Do you experience occasional problems with CloudFlare sites?
06.07.2016 20:36, Steve Hill пишет:
>
> I'm using a transparent proxy and SSL-peek and have hit a problem with
an iOS app which seems to be doing broken things with th
27 matches
Mail list logo
