{
assert(checklist != NULL && checklist->request != NULL);
- if (checklist->conn() && checklist->conn()->serverBump()) {
- if (X509 *peer_cert = checklist->conn()->serverBump()->serverCert.get()) {
- if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>))
- return 1;
+ const char *serverName = nullptr;
+ SBuf serverNameKeeper; // because c_str() is not constant
+ if (ConnStateData *conn = checklist->conn()) {
+
+ if (conn->serverBump()) {
+ if (X509 *peer_cert = conn->serverBump()->serverCert.get())
+ return Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>);
}
- }
- const char *serverName = NULL;
- if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty()) {
- SBuf scn = checklist->conn()->sslCommonName();
- serverName = scn.c_str();
+ if (conn->sslCommonName().isEmpty()) {
+ const char *host = checklist->request->url.host();
+ if (host && *host) // paranoid first condition: host() is never nil
+ serverName = host;
+ } else {
+ serverNameKeeper = conn->sslCommonName();
+ serverName = serverNameKeeper.c_str();
+ }
}
- if (serverName == NULL)
- serverName = checklist->request->url.host();
-
- if (serverName && data->match(serverName)) {
- return 1;
- }
+ if (!serverName)
+ serverName = "none";
- return data->match("none");
+ return data->match(serverName);
}
ACLServerNameStrategy *
# During each Ssl-Bump step, Squid may improve its understanding of a
# "true server name". Unlike dstdomain, this ACL does not perform
# DNS lookups.
+ # The "none" name can be used to match transactions where Squid
+ # could not compute the server name using any information source
+ # already available at the ACL evaluation time.
acl aclname ssl::server_name_regex [-i] \.foo\.com ...
# regex matches server name obtained from various sources [fast]
debugs(83, 5, "FD " << fd << " has no certificate.");
}
-#if defined(TLSEXT_NAMETYPE_host_name)
- if (!conn->serverBump()) {
- // when in bumpClientFirst mode, get the server name from SNI
- if (const char *server = SSL_get_servername(session.get(), TLSEXT_NAMETYPE_host_name))
- conn->resetSslCommonName(server);
- }
-#endif
-
conn->readSomeData();
}
// Even if the parser failed, each TLS detail should either be set
// correctly or still be "unknown"; copying unknown detail is a no-op.
- clientConnection->tlsNegotiations()->retrieveParsedInfo(tlsParser.details);
+ Security::TlsDetails::Pointer const &details = tlsParser.details;
+ clientConnection->tlsNegotiations()->retrieveParsedInfo(details);
+ if (details && !details->serverName.isEmpty()) {
+ resetSslCommonName(details->serverName.c_str());
+ if (sslServerBump)
+ sslServerBump->clientSni = details->serverName;
+ }
// We should disable read/write handlers
Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, NULL, NULL, 0);
return;
}
- if (serverBump()) {
- Security::TlsDetails::Pointer const &details = tlsParser.details;
- if (details && !details->serverName.isEmpty()) {
- serverBump()->clientSni = details->serverName;
- resetSslCommonName(details->serverName.c_str());
- }
- }
-
startPeekAndSpliceDone();
}
projects / thirdparty / squid.git / commitdiff
