Replies: 1 comment
-
|
I started this conversation on another forum, and someone responded as follows: I don’t have any technical knowledge, but if it can be implemented in the core, that would be great. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
As you all know, Fastly has removed domain fronting, but we can still use any arbitrary SNI with 'allow insecure' activated to establish an SSL connection on Fastly. However, using 'allow insecure' is not safe. So, I checked and found that Fastly provides a default SSL if our SNI is not valid, with the value 'default.ssl.fastly.net'.
I would like to suggest that instead of having only two options, true and false, for the allowInsecure option, a third option, "default.ssl.fastly.net", should be added. This way, we can use any arbitrary SNI to trick GFW while still validating the public key using the given value. The third option could be more generalized. Instead of always using 'default.ssl.fastly.net', we should allow users to specify a desired value, which may help in situations beyond Fastly CDN.
Beta Was this translation helpful? Give feedback.
All reactions