From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Tue, 31 Jan 2012 20:57:35 +0000 (+0200)
Subject: Bug fix: The SQUID_X509_V_ERR_DOMAIN_MISMATCH error name when used with sslproxy_cert... 
X-Git-Tag: BumpSslServerFirst.take04~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d82c5b8a66b0986c42defe351e8320ec14770c8;p=thirdparty%2Fsquid.git

Bug fix: The SQUID_X509_V_ERR_DOMAIN_MISMATCH error name when used with sslproxy_cert_error never matches
---

diff --git a/src/client_side.cc b/src/client_side.cc
index afaf08c1d6..1b3c715f67 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2477,10 +2477,14 @@ bool ConnStateData::serveDelayedError(ClientSocketContext *context)
             debugs(33, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate does not match domainname " << request->GetHost());
 
             ACLFilledChecklist check(Config.ssl_client.cert_error, request, dash_str);
+            check.sslErrorList = new Ssl::Errors(SQUID_X509_V_ERR_DOMAIN_MISMATCH);
             if (Comm::IsConnOpen(pinning.serverConnection))
                 check.fd(pinning.serverConnection->fd);
+            bool allowDomainMismatch = (check.fastCheck() == ACCESS_ALLOWED);
+            delete check.sslErrorList;
+            check.sslErrorList = NULL;
 
-            if (check.fastCheck() != ACCESS_ALLOWED) {
+            if (!allowDomainMismatch) {
                 clientStreamNode *node = context->getClientReplyContext();
                 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
                 assert (repContext);