%USER_CERTCHAIN SSL User certificate chain in PEM format
%USER_CERT_xx SSL User certificate subject attribute xx
%USER_CA_xx SSL User certificate issuer attribute xx
+ %ssl::>sni SSL client SNI sent to Squid
%>{Header} HTTP request header "Header"
%>{Hdr:member}
In all other cases, a single dash ("-") is
logged.
+ ssl::>sni SSL client SNI sent to Squid. Available only
+ after the peek, stare, or splice SSL bumping
+ actions.
+
If ICAP is enabled, the following code becomes available (as
well as ICAP log codes documented with the icap_log option):
assert(b);
Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
if (bio->gotHello()) {
+ if (conn->serverBump()) {
+ Ssl::Bio::sslFeatures const &features = bio->getFeatures();
+ if (!features.serverName.empty())
+ conn->serverBump()->clientSni = features.serverName.c_str();
+ }
+
debugs(83, 2, "I got hello. Start forwarding the request!!! ");
Comm::SetSelect(fd, COMM_SELECT_READ, NULL, NULL, 0);
Comm::SetSelect(fd, COMM_SELECT_WRITE, NULL, NULL, 0);
#include "URL.h"
#include "wordlist.h"
#if USE_OPENSSL
+#include "ssl/ServerBump.h"
#include "ssl/support.h"
#endif
#if USE_AUTH
debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type %CA_CERT_* code is obsolete. Use %USER_CA_CERT_* instead");
format->type = Format::LFT_EXT_ACL_USER_CA_CERT;
format->header = xstrdup(token + 11);
- }
+ } else if (strcmp(token, "%ssl::>sni") == 0)
+ format->type = Format::LFT_SSL_CLIENT_SNI;
#endif
#if USE_AUTH
else if (strcmp(token, "%EXT_USER") == 0 || strcmp(token, "%ue") == 0)
DUMP_EXT_ACL_TYPE_FMT(EXT_ACL_USER_CERTCHAIN_RAW, " %%USER_CERTCHAIN_RAW");
DUMP_EXT_ACL_TYPE_FMT(EXT_ACL_USER_CERT, " %%USER_CERT_%s", format->header);
DUMP_EXT_ACL_TYPE_FMT(EXT_ACL_USER_CA_CERT, " %%USER_CA_CERT_%s", format->header);
+ DUMP_EXT_ACL_TYPE_FMT(SSL_CLIENT_SNI, "ssl::>sni");
#endif
#if USE_AUTH
DUMP_EXT_ACL_TYPE_FMT(USER_EXTERNAL," %%ue");
}
break;
+
+ case Format::LFT_SSL_CLIENT_SNI:
+ if (ch->conn() != NULL) {
+ if (Ssl::ServerBump * srvBump = ch->conn()->serverBump()) {
+ if (!srvBump->clientSni.isEmpty())
+ str = srvBump->clientSni.c_str();
+ }
+ }
+ break;
#endif
#if USE_AUTH
case Format::LFT_USER_EXTERNAL:
LFT_SSL_BUMP_MODE,
LFT_SSL_USER_CERT_SUBJECT,
LFT_SSL_USER_CERT_ISSUER,
+ LFT_SSL_CLIENT_SNI,
#endif
LFT_NOTE,
#include "URL.h"
#if USE_OPENSSL
#include "ssl/ErrorDetail.h"
+#include "ssl/ServerBump.h"
#endif
/// Convert a string to NULL pointer if it is ""
}
}
break;
+ case LFT_SSL_CLIENT_SNI:
+ if (al->request && al->request->clientConnectionManager.valid()) {
+ if (Ssl::ServerBump * srvBump = al->request->clientConnectionManager->serverBump()) {
+ if (!srvBump->clientSni.isEmpty())
+ out = srvBump->clientSni.c_str();
+ }
+ }
+ break;
#endif
case LFT_REQUEST_URLGROUP_OLD_2X:
{"bump_mode", LFT_SSL_BUMP_MODE},
{">cert_subject", LFT_SSL_USER_CERT_SUBJECT},
{">cert_issuer", LFT_SSL_USER_CERT_ISSUER},
+ {">sni", LFT_SSL_CLIENT_SNI},
{NULL, LFT_NONE}
};
#endif
Ssl::CertErrors *sslErrors; ///< SSL [certificate validation] errors
Ssl::BumpMode mode; ///< The SSL server bump mode
Ssl::BumpStep step; ///< The SSL server bumping step
+ SBuf clientSni; ///< the SSL client SNI name
private:
store_client *sc; ///< dummy client to prevent entry trimming