From: Christos Tsantilas Date: Thu, 17 Sep 2015 05:40:34 +0000 (-0700) Subject: Support SNI on generated CONNECT after peek X-Git-Tag: SQUID_3_5_9~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83faf70c5365c39991fc416cc7d5b89de8ab7a2c;p=thirdparty%2Fsquid.git Support SNI on generated CONNECT after peek When Squid decides to splice a connection in the step2 SSL bumping step sends a second fake CONNECT request to the ICAP/eCAP for adaptation. This patch fixes squid to use the SNI information when sending the second CONNECT request, if it is available. This is a Measurement Factory project --- diff --git a/src/client_side.cc b/src/client_side.cc index 3ba425db06..6fde62adef 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -4424,14 +4424,24 @@ void ConnStateData::fakeAConnectRequest(const char *reason, const SBuf &payload) { // fake a CONNECT request to force connState to tunnel - static char ip[MAX_IPSTRLEN]; - clientConnection->local.toUrl(ip, sizeof(ip)); + SBuf connectHost; +#if USE_OPENSSL + if (serverBump() && !serverBump()->clientSni.isEmpty()) { + connectHost.assign(serverBump()->clientSni); + if (clientConnection->local.port() > 0) + connectHost.appendf(":%d",clientConnection->local.port()); + } else +#endif + { + static char ip[MAX_IPSTRLEN]; + connectHost.assign(clientConnection->local.toUrl(ip, sizeof(ip))); + } // Pre-pend this fake request to the TLS bits already in the buffer SBuf retStr; retStr.append("CONNECT "); - retStr.append(ip); + retStr.append(connectHost); retStr.append(" HTTP/1.1\r\nHost: "); - retStr.append(ip); + retStr.append(connectHost); retStr.append("\r\n\r\n"); retStr.append(payload); in.buf = retStr;