When negotiating SSL connections Squid 3.1 currently only matches the
server name against the peer certificate's common name. Some X509
cert's use the subjectAltName extension which can specify a number of
alternate DNS names for which the certificate is valid. Code to handle
the subjectAltName extension is available in Squid 2.7 but has not
been ported to 3.1. I'm not 100% sure if this is an oversight or if
there is some outstanding security issue with honouring additional DNS
names.
Here's a patch against Squid 3.1.0.16 that ports the subjectAltName
handing code from Squid 2.7.
Also available as a bzr branch @ lp:~brotchie/squid/ssl-subjectAltName-3.1
Cheers,
James
This archive was generated by hypermail 2.2.0 : Wed Feb 03 2010 - 12:00:04 MST