From 9db3fdb3a6ad6afb982af319540d042ac201150e Mon Sep 17 00:00:00 2001
From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Fri, 19 Dec 2014 19:54:32 +0200
Subject: [PATCH] Fix peek-and-splice mode: certificate validation for domain
 mismatched errors

Currently squid does not check for domain mismatched errors while validates the
server certificate on peek and splice mode, even if the server hostname is known
from SNI info or from CONNECT request string.

This is a Measurement Factory project
---
 src/ssl/PeerConnector.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 1ca6f853ec..d0b7fd68f4 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -163,6 +163,13 @@ Ssl::PeerConnector::initializeSsl()
                 srvBio->recordInput(true);
                 srvBio->mode(request->clientConnectionManager->sslBumpMode);
             }
+
+            const bool isConnectRequest = request->clientConnectionManager.valid() &&
+                                          !request->clientConnectionManager->port->flags.isIntercepted();
+            if (isConnectRequest)
+                SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request->GetHost());
+            else if (!features.serverName.isEmpty())
+                SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)features.serverName.c_str());
         }
     } else {
         // While we are peeking at the certificate, we may not know the server
-- 
2.47.2