SNI to ICAP via 2nd CONNECT

When Squid decides to splice a connection in the step2 SSL bumping step
sends a second fake CONNECT request to the ICAP/eCAP for adaptation.

This patch fixes squid to use the SNI information when sending the second
CONNECT request, if it is available.

This is a Measurement Factory project

diff --git a/src/client_side.cc b/src/client_side.cc
index a0b054306ea4bca636e82811b8d14dbed372bfdd..539cc7c578f11b861429a8dc959515576b357d1a 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -4312,14 +4312,21 @@ void
 ConnStateData::fakeAConnectRequest(const char *reason, const SBuf &payload)
 {
     // fake a CONNECT request to force connState to tunnel
-    static char ip[MAX_IPSTRLEN];
-    clientConnection->local.toUrl(ip, sizeof(ip));
+    SBuf connectHost;
+    if (serverBump() && !serverBump()->clientSni.isEmpty()) {
+        connectHost.assign(serverBump()->clientSni);
+        if (clientConnection->local.port() > 0)
+            connectHost.appendf(":%d",clientConnection->local.port());
+    } else {
+        static char ip[MAX_IPSTRLEN];
+        connectHost.assign(clientConnection->local.toUrl(ip, sizeof(ip)));
+    }
     // Pre-pend this fake request to the TLS bits already in the buffer
     SBuf retStr;
     retStr.append("CONNECT ");
-    retStr.append(ip);
+    retStr.append(connectHost);
     retStr.append(" HTTP/1.1\r\nHost: ");
-    retStr.append(ip);
+    retStr.append(connectHost);
     retStr.append("\r\n\r\n");
     retStr.append(payload);
     in.buf = retStr;