parsingTlsHandshake = false;
- if (mayTunnelUnsupportedProto())
- preservedClientData = inBuf;
+ // client data may be needed for splicing and for
+ // tunneling unsupportedProtocol after an error
+ preservedClientData = inBuf;
// Even if the parser failed, each TLS detail should either be set
// correctly or still be "unknown"; copying unknown detail is a no-op.
transferProtocol = Http::ProtocolVersion();
assert(!pipeline.empty());
Http::StreamPointer context = pipeline.front();
+ Must(context);
+ Must(context->http);
ClientHttpRequest *http = context->http;
- tunnelStart(http);
- return true;
+ HttpRequest::Pointer request = http->request;
+ context->finished();
+ if (transparent()) {
+ // For transparent connections, make a new fake CONNECT request, now
+ // with SNI as target. doCallout() checks, adaptations may need that.
+ return fakeAConnectRequest("splice", preservedClientData);
+ } else {
+ // For non transparent connections make a new tunneled CONNECT, which
+ // also sets the HttpRequest::flags::forceTunnel flag to avoid
+ // respond with "Connection Established" to the client.
+ // This fake CONNECT request required to allow use of SNI in
+ // doCallout() checks and adaptations.
+ return initiateTunneledRequest(request, Http::METHOD_CONNECT, "splice", preservedClientData);
+ }
}
void
return false;
}
+ const Ssl::BumpMode bumpMode = http->getConn()->sslBumpMode;
if (http->request->flags.forceTunnel) {
debugs(85, 5, "not needed; already decided to tunnel " << http->getConn());
+ if (bumpMode != Ssl::bumpEnd)
+ http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
return false;
}
// If SSL connection tunneling or bumping decision has been made, obey it.
- const Ssl::BumpMode bumpMode = http->getConn()->sslBumpMode;
if (bumpMode != Ssl::bumpEnd) {
debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
"), " << "ignoring ssl_bump for " << http->getConn());