[squid-users] Re: Redirecting before certificate handling from Henrik Nordstrom on 2007-09-25 (squid-users)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Tue, 25 Sep 2007 20:47:26 +0200

On tis, 2007-09-25 at 10:45 -0700, Srinivas B wrote:

> My question is, I use one
>
> https_port < with certs matching domain xyz.mydomain.com>
>
> Our firewall is configured such a way that https requests coming to
> xyz.mydomain.com and abc.mydomain.com are forwarded to squid.
>
> can I use url_rewrite_program to redirect requests with hostname
> abc.mydomain.com to xyz.mydomain.com (without showing the user a
> security warning message.)

If the browser tries to connet to abc.mydomain.com:443 which translates
to an ip:443 it expects the server to present a certificate matching
abc.mydomain.com.

This all takes place before the browser sends the HTTP request
containing the requested hostname, so no.

If you want to use SSL then you need an unique ip:port per certificate
you want to present. If the browser thinks it is connecting to one host
and is presented a certificate not matching the requested host it will
complain about certificate mismatch.

Regards
Henrik

application/pgp-signature attachment: This is a digitally signed message part

Received on Tue Sep 25 2007 - 12:47:32 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:03 MDT