From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Mon, 27 Feb 2012 17:17:09 +0000 (+0200)
Subject: When there is an error and we know the intended server name from CONNECT
X-Git-Tag: BumpSslServerFirst.take05~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8499a1de8f7ba5e87c5f37b352ee735acf989a49;p=thirdparty%2Fsquid.git

When there is an error and we know the intended server name from CONNECT
request, we should use that name for the CN in the fake certificate instead
of mimicking the received true server certificate CN.
---

diff --git a/src/client_side.cc b/src/client_side.cc
index 76ff112f41..2f4099c34c 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3895,7 +3895,14 @@ ConnStateData::httpsPeeked(Comm::ConnectionPointer serverConnection)
         debugs(33, 5, HERE << "bumped HTTPS server: " << sslConnectHostOrIp);
     } else {
         debugs(33, 5, HERE << "Error while bumping: " << sslConnectHostOrIp);
-        if (bumpServerCert.get())
+        Ip::Address intendedDest;
+        intendedDest = sslConnectHostOrIp.termedBuf();
+        // Squid serves its own error page and closes, so we want
+        // a CN that causes no additional browser errors. Possible
+        // only when bumping CONNECT which uses a host name.
+        if (intendedDest.IsAnyAddr())
+            sslCommonName = sslConnectHostOrIp;
+        else if (bumpServerCert.get())
             sslCommonName = Ssl::CommonHostName(bumpServerCert.get());
     }