Hi all,
When Squid decides to splice a connection in the step2 SSL bumping step
sends a second fake CONNECT request to the ICAP/eCAP for adaptation.
This patch fixes squid to use the SNI information when sending the
second CONNECT request, if it is available.
This is a Measurement Factory project
SNI to ICAP via 2nd CONNECT
When Squid decides to splice a connection in the step2 SSL bumping step
sends a second fake CONNECT request to the ICAP/eCAP for adaptation.
This patch fixes squid to use the SNI information when sending the second
CONNECT request, if it is available.
This is a Measurement Factory project
=== modified file 'src/client_side.cc'
--- src/client_side.cc 2015-08-30 00:26:47 +0000
+++ src/client_side.cc 2015-09-10 16:16:40 +0000
@@ -4295,48 +4295,55 @@
pinConnection(serverConnection, NULL, NULL, false);
debugs(33, 5, HERE << "bumped HTTPS server: " << sslConnectHostOrIp);
} else {
debugs(33, 5, HERE << "Error while bumping: " << sslConnectHostOrIp);
// copy error detail from bump-server-first request to CONNECT request
if (currentobject != NULL && currentobject->http != NULL && currentobject->http->request)
currentobject->http->request->detailError(sslServerBump->request->errType, sslServerBump->request->errDetail);
}
getSslContextStart();
}
#endif /* USE_OPENSSL */
void
ConnStateData::fakeAConnectRequest(const char *reason, const SBuf &payload)
{
// fake a CONNECT request to force connState to tunnel
- static char ip[MAX_IPSTRLEN];
- clientConnection->local.toUrl(ip, sizeof(ip));
+ SBuf connectHost;
+ if (serverBump() && !serverBump()->clientSni.isEmpty()) {
+ connectHost.assign(serverBump()->clientSni);
+ if (clientConnection->local.port() > 0)
+ connectHost.appendf(":%d",clientConnection->local.port());
+ } else {
+ static char ip[MAX_IPSTRLEN];
+ connectHost.assign(clientConnection->local.toUrl(ip, sizeof(ip)));
+ }
// Pre-pend this fake request to the TLS bits already in the buffer
SBuf retStr;
retStr.append("CONNECT ");
- retStr.append(ip);
+ retStr.append(connectHost);
retStr.append(" HTTP/1.1\r\nHost: ");
- retStr.append(ip);
+ retStr.append(connectHost);
retStr.append("\r\n\r\n");
retStr.append(payload);
in.buf = retStr;
bool ret = handleReadData();
if (ret)
ret = clientParseRequests();
if (!ret) {
debugs(33, 2, "Failed to start fake CONNECT request for " << reason << " connection: " << clientConnection);
clientConnection->close();
}
}
/// check FD after clientHttp[s]ConnectionOpened, adjust HttpSockets as needed
static bool
OpenedHttpSocket(const Comm::ConnectionPointer &c, const Ipc::FdNoteId portType)
{
if (!Comm::IsConnOpen(c)) {
Must(NHttpSockets > 0); // we tried to open some
--NHttpSockets; // there will be fewer sockets than planned
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev