[squid-users] SSL connction failed due to SNI after content redirection

Alex Wu alex_wu2012 at hotmail.com
Mon Jul 20 19:34:05 UTC 2015 

That's right,

It should be as follows:

--- a/squid-3.5.6/src/ssl/PeerConnector.cc
+++ b/squid-3.5.6/src/ssl/PeerConnector.cc
@@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl()

             // Use SNI TLS extension only when we connect directly
             // to the origin server and we know the server host name.
-            const char *sniServer = hostName ? hostName->c_str() :
-                                    (!request->GetHostIsNumeric() ? request->GetHost() : NULL);
+            const char *sniServer = hostName->c_str();
+            if (request->flags.redirected &&
+                ::Config.onoff.redir_rewrites_host &&
+                !request->GetHostIsNumeric() ) {
+                sniServer = request->GetHost();
+            }
             if (sniServer) {
                 debugs(83, 5, "SNIserve " << sniServer);
                 Ssl::setClientSNI(ssl, sniServer);

Let me see if I can get squid-dev.

Alex


> Date: Mon, 20 Jul 2015 13:10:26 -0600
> From: rousskov at measurement-factory.com
> To: alex_wu2012 at hotmail.com; squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] SSL connction failed due to SNI after content redirection
> 
> On 07/20/2015 11:28 AM, Alex Wu wrote:
> > With 3.5.6 code, we found one thing is broken.
> > 
> > We used pyredir to rewrite request to a surrogated server enabled SSL
> > connection.
> > 
> > Also, we enable this in squid.conf:
> > 
> > url_rewrite_host_header on
> > 
> > We expect a request to www.foo.com is changed to www.foo-internal.com.
> > 
> > squid sends the request with the host header rewritten by pyredir as
> > www.foo-internal.com  , but it fails connecting to the server withSSL
> > enabled due to SNI hostname selection (it is under SSLBUMP). We did this
> > change to get it work:
> > 
> > --- a/squid-3.5.6/src/ssl/PeerConnector.cc
> > +++ b/squid-3.5.6/src/ssl/PeerConnector.cc
> > @@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl()
> > 
> >              // Use SNI TLS extension only when we connect directly
> >              // to the origin server and we know the server host name.
> > -            const char *sniServer = hostName ? hostName->c_str() :
> > -                                    (!request->GetHostIsNumeric() ?
> > request->GetHost() : NULL);
> > +            const char *sniServer = hostName->c_str();
> > +            if ( request->flags.redirected &&
> > ::Config.onoff.redir_rewrites_host) {
> > +                sniServer = !request->GetHostIsNumeric() ?
> > request->GetHost() : NULL;
> > +            }
> >              if (sniServer) {
> >                  debugs(83, 5, "SNIserve " << sniServer);
> >                  Ssl::setClientSNI(ssl, sniServer);
> > 
> > 
> > Is this correct?
> 
> 
> Not quite: Your code is unconditionally dereferencing hostName which
> might be NULL. You also seem to disable the request->GetHost() path for
> cases where flags.redirected && redir_rewrites_host is false. However, I
> am not an expert on rewrite request APIs...
> 
> You may want to move this to squid-dev or Bugzilla.
> 
> 
> HTH,
> 
> Alex.
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150720/38527658/attachment-0001.html>

More information about the squid-users mailing list