]> git.ipfire.org Git - thirdparty/squid.git/commitdiff
projects / thirdparty / squid.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ad88633)
When there is an error and we know the intended server name from CONNECT
authorChristos Tsantilas <chtsanti@users.sourceforge.net>
Mon, 27 Feb 2012 17:17:09 +0000 (19:17 +0200)
committerChristos Tsantilas <chtsanti@users.sourceforge.net>
Mon, 27 Feb 2012 17:17:09 +0000 (19:17 +0200)
request, we should use that name for the CN in the fake certificate instead
of mimicking the received true server certificate CN.

src/client_side.cc patch | blob | blame | history

diff --git a/src/client_side.cc b/src/client_side.cc
index 76ff112f410e121b44ab7dd29417d6023646dfde..2f4099c34cdc048531d41de14a62033d60a7514e 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3895,7 +3895,14 @@ ConnStateData::httpsPeeked(Comm::ConnectionPointer serverConnection)
         debugs(33, 5, HERE << "bumped HTTPS server: " << sslConnectHostOrIp);
     } else {
         debugs(33, 5, HERE << "Error while bumping: " << sslConnectHostOrIp);
-        if (bumpServerCert.get())
+        Ip::Address intendedDest;
+        intendedDest = sslConnectHostOrIp.termedBuf();
+        // Squid serves its own error page and closes, so we want
+        // a CN that causes no additional browser errors. Possible
+        // only when bumping CONNECT which uses a host name.
+        if (intendedDest.IsAnyAddr())
+            sslCommonName = sslConnectHostOrIp;
+        else if (bumpServerCert.get())
             sslCommonName = Ssl::CommonHostName(bumpServerCert.get());
     }
 
Mirror of https://github.com/squid-cache/squid.git