<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>With 3.5.6 code, we found one thing is broken.<br><br>We used pyredir to rewrite request to a surrogated server enabled SSL connection. <br><br>Also, we enable this in squid.conf:<br><br>url_rewrite_host_header on<br><br>We expect a request to <a href="www.foo.com" target="_blank">www.foo.com</a> is changed to <a href="www.foo-internal.com." target="_blank">www.foo-internal.com.</a> <br><br>squid sends the request with the host header rewritten by pyredir as <a href="www.foo-internal.com" target="_blank">www.foo-internal.com</a> , but it fails connecting to the server withSSL enabled due to SNI hostname selection (it is under SSLBUMP). We did this change to get it work:<br><br>--- a/squid-3.5.6/src/ssl/PeerConnector.cc<br>+++ b/squid-3.5.6/src/ssl/PeerConnector.cc<br>@@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl()<br><br> // Use SNI TLS extension only when we connect directly<br> // to the origin server and we know the server host name.<br>- const char *sniServer = hostName ? hostName->c_str() :<br>- (!request->GetHostIsNumeric() ? request->GetHost() : NULL);<br>+ const char *sniServer = hostName->c_str();<br>+ if ( request->flags.redirected && ::Config.onoff.redir_rewrites_host) {<br>+ sniServer = !request->GetHostIsNumeric() ? request->GetHost() : NULL;<br>+ }<br> if (sniServer) {<br> debugs(83, 5, "SNIserve " << sniServer);<br> Ssl::setClientSNI(ssl, sniServer);<br><br><br>Is this correct?<br><br>Alex<br> </div></body>
</html>