|
Overlooked before.
This should be right now: --- a/squid-3.5.6/src/ssl/PeerConnector.cc +++ b/squid-3.5.6/src/ssl/PeerConnector.cc @@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl() // Use SNI TLS extension only when we connect directly // to the origin server and we know the server host name. - const char *sniServer = hostName ? hostName->c_str() : - (!request->GetHostIsNumeric() ? request->GetHost() : NULL); + const char *sniServer = hostName ? hostName->c_str() : NULL; + if (!sniServer || + (request->flags.redirected && + ::Config.onoff.redir_rewrites_host)) { + sniServer = !request->GetHostIsNumeric() ? request->GetHost() : NULL; + } if (sniServer) { debugs(83, 5, "SNIserve " << sniServer); Ssl::setClientSNI(ssl, sniServer); Alex From: alex_wu2012@xxxxxxxxxxx To: rousskov@xxxxxxxxxxxxxxxxxxxxxxx; squid-users@xxxxxxxxxxxxxxxxxxxxx Date: Mon, 20 Jul 2015 12:34:05 -0700 Subject: Re: SSL connction failed due to SNI after content redirection That's right,
It should be as follows: --- a/squid-3.5.6/src/ssl/PeerConnector.cc +++ b/squid-3.5.6/src/ssl/PeerConnector.cc @@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl() // Use SNI TLS extension only when we connect directly // to the origin server and we know the server host name. - const char *sniServer = hostName ? hostName->c_str() : - (!request->GetHostIsNumeric() ? request->GetHost() : NULL); + const char *sniServer = hostName->c_str(); + if (request->flags.redirected && + ::Config.onoff.redir_rewrites_host && + !request->GetHostIsNumeric() ) { + sniServer = request->GetHost(); + } if (sniServer) { debugs(83, 5, "SNIserve " << sniServer); Ssl::setClientSNI(ssl, sniServer); Let me see if I can get squid-dev. Alex > Date: Mon, 20 Jul 2015 13:10:26 -0600 > From: rousskov@xxxxxxxxxxxxxxxxxxxxxxx > To: alex_wu2012@xxxxxxxxxxx; squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: [squid-users] SSL connction failed due to SNI after content redirection > > On 07/20/2015 11:28 AM, Alex Wu wrote: > > With 3.5.6 code, we found one thing is broken. > > > > We used pyredir to rewrite request to a surrogated server enabled SSL > > connection. > > > > Also, we enable this in squid.conf: > > > > url_rewrite_host_header on > > > > We expect a request to www.foo.com is changed to www.foo-internal.com. > > > > squid sends the request with the host header rewritten by pyredir as > > www.foo-internal.com , but it fails connecting to the server withSSL > > enabled due to SNI hostname selection (it is under SSLBUMP). We did this > > change to get it work: > > > > --- a/squid-3.5.6/src/ssl/PeerConnector.cc > > +++ b/squid-3.5.6/src/ssl/PeerConnector.cc > > @@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl() > > > > // Use SNI TLS extension only when we connect directly > > // to the origin server and we know the server host name. > > - const char *sniServer = hostName ? hostName->c_str() : > > - (!request->GetHostIsNumeric() ? > > request->GetHost() : NULL); > > + const char *sniServer = hostName->c_str(); > > + if ( request->flags.redirected && > > ::Config.onoff.redir_rewrites_host) { > > + sniServer = !request->GetHostIsNumeric() ? > > request->GetHost() : NULL; > > + } > > if (sniServer) { > > debugs(83, 5, "SNIserve " << sniServer); > > Ssl::setClientSNI(ssl, sniServer); > > > > > > Is this correct? > > > Not quite: Your code is unconditionally dereferencing hostName which > might be NULL. You also seem to disable the request->GetHost() path for > cases where flags.redirected && redir_rewrites_host is false. However, I > am not an expert on rewrite request APIs... > > You may want to move this to squid-dev or Bugzilla. > > > HTH, > > Alex. > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
