[squid-users] SSL connction failed due to SNI after content redirection
Alex Rousskov
rousskov at measurement-factory.com
Mon Jul 20 19:10:26 UTC 2015
On 07/20/2015 11:28 AM, Alex Wu wrote:
> With 3.5.6 code, we found one thing is broken.
>
> We used pyredir to rewrite request to a surrogated server enabled SSL
> connection.
>
> Also, we enable this in squid.conf:
>
> url_rewrite_host_header on
>
> We expect a request to www.foo.com is changed to www.foo-internal.com.
>
> squid sends the request with the host header rewritten by pyredir as
> www.foo-internal.com , but it fails connecting to the server withSSL
> enabled due to SNI hostname selection (it is under SSLBUMP). We did this
> change to get it work:
>
> --- a/squid-3.5.6/src/ssl/PeerConnector.cc
> +++ b/squid-3.5.6/src/ssl/PeerConnector.cc
> @@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl()
>
> // Use SNI TLS extension only when we connect directly
> // to the origin server and we know the server host name.
> - const char *sniServer = hostName ? hostName->c_str() :
> - (!request->GetHostIsNumeric() ?
> request->GetHost() : NULL);
> + const char *sniServer = hostName->c_str();
> + if ( request->flags.redirected &&
> ::Config.onoff.redir_rewrites_host) {
> + sniServer = !request->GetHostIsNumeric() ?
> request->GetHost() : NULL;
> + }
> if (sniServer) {
> debugs(83, 5, "SNIserve " << sniServer);
> Ssl::setClientSNI(ssl, sniServer);
>
>
> Is this correct?
Not quite: Your code is unconditionally dereferencing hostName which
might be NULL. You also seem to disable the request->GetHost() path for
cases where flags.redirected && redir_rewrites_host is false. However, I
am not an expert on rewrite request APIs...
You may want to move this to squid-dev or Bugzilla.
HTH,
Alex.
More information about the squid-users
mailing list