From: Christos Tsantilas Date: Mon, 14 Sep 2015 17:00:19 +0000 (+0300) Subject: SNI to ICAP via 2nd CONNECT X-Git-Tag: SQUID_4_0_1~63 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e88bdb0e54b6a7f14ff8f5b25f208a573a7ba5f5;p=thirdparty%2Fsquid.git SNI to ICAP via 2nd CONNECT When Squid decides to splice a connection in the step2 SSL bumping step sends a second fake CONNECT request to the ICAP/eCAP for adaptation. This patch fixes squid to use the SNI information when sending the second CONNECT request, if it is available. This is a Measurement Factory project --- diff --git a/src/client_side.cc b/src/client_side.cc index a0b054306e..539cc7c578 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -4312,14 +4312,21 @@ void ConnStateData::fakeAConnectRequest(const char *reason, const SBuf &payload) { // fake a CONNECT request to force connState to tunnel - static char ip[MAX_IPSTRLEN]; - clientConnection->local.toUrl(ip, sizeof(ip)); + SBuf connectHost; + if (serverBump() && !serverBump()->clientSni.isEmpty()) { + connectHost.assign(serverBump()->clientSni); + if (clientConnection->local.port() > 0) + connectHost.appendf(":%d",clientConnection->local.port()); + } else { + static char ip[MAX_IPSTRLEN]; + connectHost.assign(clientConnection->local.toUrl(ip, sizeof(ip))); + } // Pre-pend this fake request to the TLS bits already in the buffer SBuf retStr; retStr.append("CONNECT "); - retStr.append(ip); + retStr.append(connectHost); retStr.append(" HTTP/1.1\r\nHost: "); - retStr.append(ip); + retStr.append(connectHost); retStr.append("\r\n\r\n"); retStr.append(payload); in.buf = retStr;