Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Squid SNI Inspection results in errors in log #66

Open
aneillans opened this Issue Feb 12, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@aneillans
Copy link

aneillans commented Feb 12, 2019

When you enable SNI inspection only on Squid, you encounter a large number of errors in the log such as:

SECURITY ALERT: Host header forgery detected on local=[blah-ip]:443 remote=[my-ip]:52382 FD 12 flags=33 (local IP does not match any domain IP)

This is identifiable as something other vendors of Squid have encountered and had to disable, such as:
https://github.com/NethServer/squid/blob/c7/SOURCES/squid-3.5.20-ssl-forgery.patch

Forum Thread:
https://forum.opnsense.org/index.php?topic=10013.new;topicseen#new

@fichtner

This comment has been minimized.

Copy link
Member

fichtner commented Feb 13, 2019

Work still needs to be done for squid 4 migration, but I'd like to use this opportunity to look closer into the code as the current solution only skips the check unconditionally, but limitations should apply:

http://www.squid-cache.org/Doc/config/host_verify_strict/

	Regardless of this option setting, when dealing with intercepted
	traffic, Squid always verifies that the destination IP address matches
	the Host header domain or IP (called 'authority form URL').
@aneillans

This comment has been minimized.

Copy link
Author

aneillans commented Feb 13, 2019

@fichtner fichtner reopened this Feb 13, 2019

@fichtner

This comment has been minimized.

Copy link
Member

fichtner commented Feb 13, 2019

@aneillans thanks, ideally we should see if we can inject the expected IP addresses into the verification check... Maybe we could build a subnet check in this case?!

@aneillans

This comment has been minimized.

Copy link
Author

aneillans commented Feb 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.