From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Fri, 19 Dec 2014 17:54:32 +0000 (+0200)
Subject: Fix peek-and-splice mode: certificate validation for domain mismatched errors
X-Git-Tag: merge-candidate-3-v1~426
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9db3fdb3a6ad6afb982af319540d042ac201150e;p=thirdparty%2Fsquid.git

Fix peek-and-splice mode: certificate validation for domain mismatched errors

Currently squid does not check for domain mismatched errors while validates the
server certificate on peek and splice mode, even if the server hostname is known
from SNI info or from CONNECT request string.

This is a Measurement Factory project
---

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 1ca6f853ec..d0b7fd68f4 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -163,6 +163,13 @@ Ssl::PeerConnector::initializeSsl()
                 srvBio->recordInput(true);
                 srvBio->mode(request->clientConnectionManager->sslBumpMode);
             }
+
+            const bool isConnectRequest = request->clientConnectionManager.valid() &&
+                                          !request->clientConnectionManager->port->flags.isIntercepted();
+            if (isConnectRequest)
+                SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request->GetHost());
+            else if (!features.serverName.isEmpty())
+                SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)features.serverName.c_str());
         }
     } else {
         // While we are peeking at the certificate, we may not know the server