Does ECAP have access to SNI ?

Asked by Jatin on 2015-05-07

Not sure if this is a squid related query or Ecap. I thought that I will start here. Hi, I am using squid 3.5.4 SSL Bump feature with peek. I am using squid as a transparent proxy. When I first go to a SSL site then I see a CONNECT request to that site IP Address (x.x.x.x:443). But at this point I would like to know the SNI which squid is using to CONNECT to server?

So is it possible?

Question information

Language:
English Edit question
Status:
Solved
For:
eCAP Edit question
Assignee:
No assignee Edit question
Solved by:
Alex Rousskov
Solved:
2019-04-03
Last query:
2019-04-03
Last reply:
2015-10-06

This question was reopened

Alex Rousskov (rousskov) said : #1

This is a Squid question. It is possible from eCAP point of view because there is nothing special about that fake CONNECT request from that eCAP point of view -- it may include all the information available to the host application.

AFAIK, Squid currently does not include SNI information in the fake CONNECT request sent to eCAP and ICAP adaptation services. I believe it would be fairly easy to adjust the fake CONNECT request to use SNI information because modern Squids do extract SNI during SslBump peek action. It would be a welcomed Squid enhancement IMO.

Jatin (jbhasin83) said : #2

Thanks

Jatin (jbhasin83) said : #3

Hi Alex

Squid3.5.10 is available now and it says that SNI information is available at various step1/step2. I am using ecap adapter adapter to extract SNI information. Can you please guide to me to extract SNI from squid?

Best Alex Rousskov (rousskov) said : #4

This is a Squid question, not eCAP question. Recent Squids may use SNI information (when available) to generate the HTTP Host header and Request-URI parts for the [fake] CONNECT requests. There is nothing special going on from the eCAP point of view here. Your adapter may extract Host and Request-URI from that [fake] CONNECT request just like it extracts Host and Request-URI from any other HTTP request. AFAIK, there are no special SNI headers or meta-headers for the eCAP adapter to worry about.

Jatin (jbhasin83) said : #5

Thanks Alex Rousskov, that solved my question.