Does ECAP have access to SNI ?

Asked by Jatin

Not sure if this is a squid related query or Ecap. I thought that I will start here. Hi, I am using squid 3.5.4 SSL Bump feature with peek. I am using squid as a transparent proxy. When I first go to a SSL site then I see a CONNECT request to that site IP Address (x.x.x.x:443). But at this point I would like to know the SNI which squid is using to CONNECT to server?

So is it possible?

Question information

English Edit question
eCAP Edit question
No assignee Edit question
Solved by:
Alex Rousskov
Last query:
Last reply:

This question was reopened

Revision history for this message
Alex Rousskov (rousskov) said :

This is a Squid question. It is possible from eCAP point of view because there is nothing special about that fake CONNECT request from that eCAP point of view -- it may include all the information available to the host application.

AFAIK, Squid currently does not include SNI information in the fake CONNECT request sent to eCAP and ICAP adaptation services. I believe it would be fairly easy to adjust the fake CONNECT request to use SNI information because modern Squids do extract SNI during SslBump peek action. It would be a welcomed Squid enhancement IMO.

Revision history for this message
Jatin (jbhasin83) said :


Revision history for this message
Jatin (jbhasin83) said :

Hi Alex

Squid3.5.10 is available now and it says that SNI information is available at various step1/step2. I am using ecap adapter adapter to extract SNI information. Can you please guide to me to extract SNI from squid?

Revision history for this message
Best Alex Rousskov (rousskov) said :

This is a Squid question, not eCAP question. Recent Squids may use SNI information (when available) to generate the HTTP Host header and Request-URI parts for the [fake] CONNECT requests. There is nothing special going on from the eCAP point of view here. Your adapter may extract Host and Request-URI from that [fake] CONNECT request just like it extracts Host and Request-URI from any other HTTP request. AFAIK, there are no special SNI headers or meta-headers for the eCAP adapter to worry about.

Revision history for this message
Jatin (jbhasin83) said :

Thanks Alex Rousskov, that solved my question.