} else {
SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request->GetHost());
+
+ // We need to set SNI TLS extension only in the case we are
+ // connecting direct to origin server
+ Ssl::setClientSNI(ssl, request->GetHost());
}
// Create the ACL check list now, while we have access to more info.
return ret;
}
+bool
+Ssl::setClientSNI(SSL *ssl, const char *fqdn)
+{
+ //The SSL_CTRL_SET_TLSEXT_HOSTNAME is a openssl macro which indicates
+ // if the TLS servername extension (SNI) is enabled in openssl library.
+#if defined(SSL_CTRL_SET_TLSEXT_HOSTNAME)
+ if (!SSL_set_tlsext_host_name(ssl, fqdn)) {
+ const int ssl_error = ERR_get_error();
+ debugs(83, 3, "WARNING: unable to set TLS servername extension (SNI): " <<
+ ERR_error_string(ssl_error, NULL) << "\n");
+ return false;
+ }
+ return true;
+#else
+ debugs(83, 7, "no support for TLS servername extension (SNI)\n");
+ return false;
+#endif
+}
+
#endif /* USE_SSL */
*/
int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
+/**
+ \ingroup ServerProtocolSSLAPI
+ * Sets the hostname for the Server Name Indication (SNI) TLS extension
+ * if supported by the used openssl toolkit.
+ \return true if SNI set false otherwise
+*/
+bool setClientSNI(SSL *ssl, const char *fqdn);
} //namespace Ssl
#ifdef _SQUID_MSWIN_
projects / thirdparty / squid.git / commitdiff
