From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Fri, 13 May 2011 07:59:19 +0000 (+0300)
Subject: Squid-to-origin SNI for ssl-bump
X-Git-Tag: take07~16^2~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=253749a8c829593fc8c332c4b02f972fb5ab9819;p=thirdparty%2Fsquid.git

Squid-to-origin SNI for ssl-bump

This patch adds Squid-to-server SSL Server Name Indication (SNI) support to the
outgoing connections in Squid.

This is a Measurement Factory project
---

diff --git a/src/forward.cc b/src/forward.cc
index 44295c2bc7..d5b29626be 100644
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -684,6 +684,10 @@ FwdState::initiateSSL()
 
     } else {
         SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request->GetHost());
+
+        // We need to set SNI TLS extension only in the case we are
+        // connecting direct to origin server
+        Ssl::setClientSNI(ssl, request->GetHost());
     }
 
     // Create the ACL check list now, while we have access to more info.
diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 7e3995e067..a01707dcba 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1237,4 +1237,23 @@ bool Ssl::verifySslCertificateDate(SSL_CTX * sslContext)
     return ret;
 }
 
+bool
+Ssl::setClientSNI(SSL *ssl, const char *fqdn)
+{
+    //The SSL_CTRL_SET_TLSEXT_HOSTNAME is a openssl macro which indicates
+    // if the TLS servername extension (SNI) is enabled in openssl library.
+#if defined(SSL_CTRL_SET_TLSEXT_HOSTNAME)
+    if (!SSL_set_tlsext_host_name(ssl, fqdn)) {
+        const int ssl_error = ERR_get_error();
+        debugs(83, 3,  "WARNING: unable to set TLS servername extension (SNI): " <<
+               ERR_error_string(ssl_error, NULL) << "\n");
+        return false;
+    }
+    return true;
+#else
+    debugs(83, 7,  "no support for TLS servername extension (SNI)\n");
+    return false;
+#endif
+}
+
 #endif /* USE_SSL */
diff --git a/src/ssl/support.h b/src/ssl/support.h
index 2e83dd791b..4f03c7d7d9 100644
--- a/src/ssl/support.h
+++ b/src/ssl/support.h
@@ -132,6 +132,13 @@ int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(vo
  */
 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
 
+/**
+   \ingroup ServerProtocolSSLAPI
+   * Sets the hostname for the Server Name Indication (SNI) TLS extension
+   * if supported by the used openssl toolkit.
+   \return true if SNI set false otherwise
+*/
+bool setClientSNI(SSL *ssl, const char *fqdn);
 } //namespace Ssl
 
 #ifdef _SQUID_MSWIN_