I know. Just asked. Since I am familiar with the standards.
might have something in common.
of a hostname from both rfc1035 and rc6066 are very speicifc.
issue in the client side request or software error handling and enforcement.
the client is a real browser or some special creature that tries it's
luck with a special form of ssl.
levels while in a transparent proxy the rules will always change.

In this case it isn't a real web browser - it's an iOS app, and the
vendor has stated that they have no intention of fixing it :(
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com

Direct contacts:
Instant messager: xmpp:***@opendium.com
Email: ***@opendium.com
Phone: sip:***@opendium.com

Sales / enquiries contacts:
Email: ***@opendium.com
Phone: +44-1792-824568 / sip:***@opendium.com

Support contacts:
Email: ***@opendium.com
Phone: +44-1792-825748 / sip:***@opendium.com

[snip]
Steve said that Squid rejects the connection because of a failed DNS lookup.
So what is Squid doing? Is it doing the following ?
- connect to the original IP
- use the presented SNI to the server
- do a DNS lookup and reject
It is interesting to know if an ICAP server or URL rewriter is called
and with which parameters when the ios app breaks.
I use url_rewrite_extras with "... sni=\"%ssl::>sni\" ..."
so the URL redirector receives both the original IP address and
the peeked SNI value to make its decisions.
I agree that an ICAP service needs X-SNI or perhaps X-Squid-SNI to
also get both the IP address and the SNI value.
To support the weirdest apps Squid might have to simply copy all
unusual characters to present the same parameter values to the server.
But we do not want to break things... so which characters are
so unusual that Squid does not want to accept them?

Marcus

Couple thoughts Alex,

Currently the basic splice rules are being used with regex which means that they can work with wildcard.
And I can understand the argument of a client wanting some wildcard domain but I do not know about an application that actually
tries to uses such logic.

There are cases which the RFC do leave the open minds to get wild and I am not saying if these are right or wrong but,
they do states it's a hostname and not a certificate common name or some v3 component.

Practically some client can try to contact some arbitrary website and there are couple aspects to it.
If a user tries to connect to a site using a company proxy, then what companies will want to allow?
Would large companies allow such a connection to be spliced, or maybe they will want to inspect this connection deeper?
What about ISP's, these mostly care about cache and not about ACL's, while there are many who uses squid for content filtering.

From where anyone understands, a wildcard should never be required to be tested against any DNS server in the current state of the internet since these do have a strict policy to honor only valid hostname characters.
Maybe the future will bring the wildcard into the DNS world, should we consider such an option even if the RFC tends to minimize and containerize the options?

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: ***@ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-***@lists.squid-cache.org] On Behalf Of Alex Rousskov
Sent: Thursday, July 7, 2016 4:07 AM
To: squid-***@lists.squid-cache.org
Subject: Re: [squid-users] host_verify_strict and wildcard SNI
There are three rather different questions to consider here:

1. Is wildcard SNI "legal/valid"?
2. Can wildcard SNI "make sense" in some cases?
3. What should Squid do when receiving a wildcard SNI?


Q1. Is wildcard SNI "legal/valid"?

I do not know the answer to that question. The "*.example.com" name is
certainly legal in many DNS contexts. RFC 6066 requires HostName SNI to
be a "fully qualified domain name", but I failed to find a strict-enough
RFC definition of an FQDN that would either accept or reject wildcards
as FQDNs. I would not be surprised if FQDN syntax is not defined to the
level that would allow one to reject wildcards as FQDNs based on syntax
alone.


Q2. Can wildcard SNI "make sense" in some cases?

Yes, of course. The client essentially says "I am trying to connect to
_any_ example.com subdomain at this IP:port address. If you have any
service like that, please connect me". That would work fine in
deployment contexts where several servers with different names provide
essentially the same service and the central "routing point" would pick
the "best" service to use. I am not saying it is a good idea to use
wildcard SNIs, but I can see them "making sense" in some cases.


Q3. What should Squid do when receiving a wildcard SNI?

The first two questions are not really important and each may not even
have a single "correct" answer. I am sure protocol purists can argue
I believe that is what Squid does already but please correct me if I am
wrong.

When forming a fake CONNECT request, Squid uses SNI information because
that is what ACLs and adaptation services usually want to see. However,
I hope that intercepting Squid always connects to the intended
destination of the intercepted connection instead of trusting its own
fake CONNECT request.

Whether Squid should generate a fake CONNECT with a wildcard host name
is an interesting question:

1. A fake CONNECT targeting an wildcard name may break ACL-driven rules
and adaptation services (at least).

2. A fake CONNECT targeting an IP address instead of a wildcard name may
not give some ACL-driven rules and adaptation services enough
information to make the right decision.

3. A premature rejection of a connection with wildcard SNI does not
allow the admin to make the bump/splice/terminate decision.

#2 is probably the lesser of the three evils, but I wonder whether Squid
should also include the invalid host name as an X-SNI or similar HTTP
header in that CONNECT request, to give advanced ACLs and adaptation
services a better chance to work around known benign issues where the
admin knows the wildcard is not malicious (and to kill wildcard
transactions the admin knows to be malicious!).


A similar question can be asked about SNI names containing unusual
characters. At some point, it would be too dangerous to include SNI
information in the fake CONNECT request because it will interfere with
HTTP rules, but it is not clear where that point is exactly.


Cheers,

Alex.

Wildcards can be specified in DNS zonefiles, but I don't think you can
ever look them up directly (rather, you look up "something.example.com"
and the DNS server itself decides to use the wildcard record to fulfil
that request - you never look up *.example.com itself).
Realistically, shouldn't the SNI reflect the DNS request that was made
to find the IP of the server you're connecting to? You would never make
a DNS request for '*.example.com' so I don't see a reason why you would
send an SNI that has a larger scope than the DNS request you made.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com

Direct contacts:
Instant messager: xmpp:***@opendium.com
Email: ***@opendium.com
Phone: sip:***@opendium.com

Sales / enquiries contacts:
Email: ***@opendium.com
Phone: +44-1792-824568 / sip:***@opendium.com

Support contacts:
Email: ***@opendium.com
Phone: +44-1792-825748 / sip:***@opendium.com