<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>That's right,<br><br>It should be as follows:<br><br>--- a/squid-3.5.6/src/ssl/PeerConnector.cc<br>+++ b/squid-3.5.6/src/ssl/PeerConnector.cc<br>@@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl()<br><br> // Use SNI TLS extension only when we connect directly<br> // to the origin server and we know the server host name.<br>- const char *sniServer = hostName ? hostName->c_str() :<br>- (!request->GetHostIsNumeric() ? request->GetHost() : NULL);<br>+ const char *sniServer = hostName->c_str();<br>+ if (request->flags.redirected &&<br>+ ::Config.onoff.redir_rewrites_host &&<br>+ !request->GetHostIsNumeric() ) {<br>+ sniServer = request->GetHost();<br>+ }<br> if (sniServer) {<br> debugs(83, 5, "SNIserve " << sniServer);<br> Ssl::setClientSNI(ssl, sniServer);<br><br>Let me see if I can get squid-dev.<br><br>Alex<br><br><br><br /><br /><div>> Date: Mon, 20 Jul 2015 13:10:26 -0600<br>> From: rousskov@measurement-factory.com<br>> To: alex_wu2012@hotmail.com; squid-users@lists.squid-cache.org<br>> Subject: Re: [squid-users] SSL connction failed due to SNI after content redirection<br>> <br>> On 07/20/2015 11:28 AM, Alex Wu wrote:<br>> > With 3.5.6 code, we found one thing is broken.<br>> > <br>> > We used pyredir to rewrite request to a surrogated server enabled SSL<br>> > connection.<br>> > <br>> > Also, we enable this in squid.conf:<br>> > <br>> > url_rewrite_host_header on<br>> > <br>> > We expect a request to www.foo.com is changed to www.foo-internal.com.<br>> > <br>> > squid sends the request with the host header rewritten by pyredir as<br>> > www.foo-internal.com , but it fails connecting to the server withSSL<br>> > enabled due to SNI hostname selection (it is under SSLBUMP). We did this<br>> > change to get it work:<br>> > <br>> > --- a/squid-3.5.6/src/ssl/PeerConnector.cc<br>> > +++ b/squid-3.5.6/src/ssl/PeerConnector.cc<br>> > @@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl()<br>> > <br>> > // Use SNI TLS extension only when we connect directly<br>> > // to the origin server and we know the server host name.<br>> > - const char *sniServer = hostName ? hostName->c_str() :<br>> > - (!request->GetHostIsNumeric() ?<br>> > request->GetHost() : NULL);<br>> > + const char *sniServer = hostName->c_str();<br>> > + if ( request->flags.redirected &&<br>> > ::Config.onoff.redir_rewrites_host) {<br>> > + sniServer = !request->GetHostIsNumeric() ?<br>> > request->GetHost() : NULL;<br>> > + }<br>> > if (sniServer) {<br>> > debugs(83, 5, "SNIserve " << sniServer);<br>> > Ssl::setClientSNI(ssl, sniServer);<br>> > <br>> > <br>> > Is this correct?<br>> <br>> <br>> Not quite: Your code is unconditionally dereferencing hostName which<br>> might be NULL. You also seem to disable the request->GetHost() path for<br>> cases where flags.redirected && redir_rewrites_host is false. However, I<br>> am not an expert on rewrite request APIs...<br>> <br>> You may want to move this to squid-dev or Bugzilla.<br>> <br>> <br>> HTH,<br>> <br>> Alex.<br>> <br></div> </div></body>
</html>