Support SNI on generated CONNECT after peek

When Squid decides to splice a connection in the step2 SSL bumping step
sends a second fake CONNECT request to the ICAP/eCAP for adaptation.

This patch fixes squid to use the SNI information when sending the second
CONNECT request, if it is available.

This is a Measurement Factory project

diff --git a/src/client_side.cc b/src/client_side.cc
index 3ba425db06900bb9809d9032b58e754b9d37e48d..6fde62adef58d938ef860f1ba5d5c26e01517984 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -4424,14 +4424,24 @@ void
 ConnStateData::fakeAConnectRequest(const char *reason, const SBuf &payload)
 {
     // fake a CONNECT request to force connState to tunnel
-    static char ip[MAX_IPSTRLEN];
-    clientConnection->local.toUrl(ip, sizeof(ip));
+    SBuf connectHost;
+#if USE_OPENSSL
+    if (serverBump() && !serverBump()->clientSni.isEmpty()) {
+        connectHost.assign(serverBump()->clientSni);
+        if (clientConnection->local.port() > 0)
+            connectHost.appendf(":%d",clientConnection->local.port());
+    } else
+#endif
+    {
+        static char ip[MAX_IPSTRLEN];
+        connectHost.assign(clientConnection->local.toUrl(ip, sizeof(ip)));
+    }
     // Pre-pend this fake request to the TLS bits already in the buffer
     SBuf retStr;
     retStr.append("CONNECT ");
-    retStr.append(ip);
+    retStr.append(connectHost);
     retStr.append(" HTTP/1.1\r\nHost: ");
-    retStr.append(ip);
+    retStr.append(connectHost);
     retStr.append("\r\n\r\n");
     retStr.append(payload);
     in.buf = retStr;