Search squid archive

Re: SSL connction failed due to SNI after content redirection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/20/2015 11:28 AM, Alex Wu wrote:
> With 3.5.6 code, we found one thing is broken.
> 
> We used pyredir to rewrite request to a surrogated server enabled SSL
> connection.
> 
> Also, we enable this in squid.conf:
> 
> url_rewrite_host_header on
> 
> We expect a request to www.foo.com is changed to www.foo-internal.com.
> 
> squid sends the request with the host header rewritten by pyredir as
> www.foo-internal.com  , but it fails connecting to the server withSSL
> enabled due to SNI hostname selection (it is under SSLBUMP). We did this
> change to get it work:
> 
> --- a/squid-3.5.6/src/ssl/PeerConnector.cc
> +++ b/squid-3.5.6/src/ssl/PeerConnector.cc
> @@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl()
> 
>              // Use SNI TLS extension only when we connect directly
>              // to the origin server and we know the server host name.
> -            const char *sniServer = hostName ? hostName->c_str() :
> -                                    (!request->GetHostIsNumeric() ?
> request->GetHost() : NULL);
> +            const char *sniServer = hostName->c_str();
> +            if ( request->flags.redirected &&
> ::Config.onoff.redir_rewrites_host) {
> +                sniServer = !request->GetHostIsNumeric() ?
> request->GetHost() : NULL;
> +            }
>              if (sniServer) {
>                  debugs(83, 5, "SNIserve " << sniServer);
>                  Ssl::setClientSNI(ssl, sniServer);
> 
> 
> Is this correct?


Not quite: Your code is unconditionally dereferencing hostName which
might be NULL. You also seem to disable the request->GetHost() path for
cases where flags.redirected && redir_rewrites_host is false. However, I
am not an expert on rewrite request APIs...

You may want to move this to squid-dev or Bugzilla.


HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux