Internal requests (eg comming from Downloader) must not peek-and-spliced

- Do not use the Ssl::PeekingPeerConnector to connect to remote site for
  internal HTTPS requests, peek-and-splice does not make any sense when the
  client is missing. Use the Ssl::BlindPeerConnector instead.
- Fix Ssl::BlindPeerConnector to work with requests comming from Downloader:
   * Use the default Config.ssl_client.sslContext as SSL_CTX context for
     these requests
   * Allow Ssl::BlindPeerConnector work with requests does not destined to a
     cache peer

diff --git a/src/FwdState.cc b/src/FwdState.cc
index 9b255602b8cfd7f3ceb0fd80671f232a0164e329..43bf34ea6de25f2a490af5020f5421d3f2cedb60 100644 (file)
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -705,8 +705,14 @@ FwdState::connectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, in
                                                     FwdStatePeerAnswerDialer(&FwdState::connectedToPeer, this));
             // Use positive timeout when less than one second is left.
             const time_t sslNegotiationTimeout = max(static_cast<time_t>(1), timeLeft());
-            Ssl::PeekingPeerConnector *connector =
-                new Ssl::PeekingPeerConnector(requestPointer, serverConnection(), clientConn, callback, sslNegotiationTimeout);
+            Ssl::PeerConnector *connector;
+            if (request->clientConnectionManager->connectionless()) {
+                // It is an internal request, no client connection
+                // does not make sense to peek and slpice/or bump.
+                connector = new Ssl::BlindPeerConnector(requestPointer, serverConnection(), callback, sslNegotiationTimeout);
+            } else {
+                connector = new Ssl::PeekingPeerConnector(requestPointer, serverConnection(), clientConn, callback, sslNegotiationTimeout);
+            }
             AsyncJob::Start(connector); // will call our callback
             return;
         }

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 1496598b16d297e0c2eb30493806d22f658926c1..6e7e8457062afd4aa5a4f3fe29a35f902ec207c4 100644 (file)
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -706,7 +706,7 @@ Ssl::BlindPeerConnector::getSslContext()
         SSL_CTX *sslContext = peer->sslContext;
         return sslContext;
     }
-    return NULL;
+    return ::Config.ssl_client.sslContext;
 }
 
 SSL *
@@ -716,18 +716,23 @@ Ssl::BlindPeerConnector::initializeSsl()
     if (!ssl)
         return NULL;
 
-    const CachePeer *peer = serverConnection()->getPeer();
-    assert(peer);
+    if (const CachePeer *peer = serverConnection()->getPeer()) {
+        assert(peer);
 
-    // NP: domain may be a raw-IP but it is now always set
-    assert(!peer->secure.sslDomain.isEmpty());
+        // NP: domain may be a raw-IP but it is now always set
+        assert(!peer->secure.sslDomain.isEmpty());
 
-    // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
-    SBuf *host = new SBuf(peer->secure.sslDomain);
-    SSL_set_ex_data(ssl, ssl_ex_index_server, host);
+        // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
+        SBuf *host = new SBuf(peer->secure.sslDomain);
+        SSL_set_ex_data(ssl, ssl_ex_index_server, host);
 
-    if (peer->sslSession)
-        SSL_set_session(ssl, peer->sslSession);
+        if (peer->sslSession)
+            SSL_set_session(ssl, peer->sslSession);
+    } else {
+        // it is not a request destined to a peer
+        SBuf *host = new SBuf(request->url.host());
+        SSL_set_ex_data(ssl, ssl_ex_index_server, host);
+    }
 
     return ssl;
 }