[squid-users] Ssl-Bump and revoked server certificates
Sebastian Kirschner
s.kirschner at afa-finanz.de
Tue Nov 3 14:09:39 UTC 2015
Hi,
regarding my missing programming skills it is hard for me to understand the code.
Regardless of that I have a suggestion that could be added to the code, hope it would work.
These should add a "variable" SNI , these should be "called" from cert_validate_message.h/.cc and appended as new line between host and proto_version to the external validator.
The code between the ** ** is my suggestions.
<PeerConnector.cc (279-286)>
if (Ssl::TheConfig.ssl_crt_validator) {
Ssl::CertValidationRequest validationRequest;
// WARNING: Currently we do not use any locking for any of the
// members of the Ssl::CertValidationRequest class. In this code the
// Ssl::CertValidationRequest object used only to pass data to
// Ssl::CertValidationHelper::submit method.
validationRequest.ssl = ssl;
validationRequest.domainName = request->GetHost();
** validationRequest.SNI = sniServer; **
</PeerConnector.cc>
<cert_validate_message.h (27-32)>
public:
SSL *ssl;
CertErrors *errors; ///< The list of errors detected
std::string domainName; ///< The server name
** std::string SNI; ///< The server name from SNI **
CertValidationRequest() : ssl(NULL), errors(NULL) {}
};
</cert_validate_message.h>
<cert_validate_message.cc (21-26)>
body.clear();
body += Ssl::CertValidationMsg::param_host + "=" + vcert.domainName;
STACK_OF(X509) *peerCerts = static_cast<STACK_OF(X509) *>(SSL_get_ex_data(vcert.ssl, ssl_ex_index_ssl_cert_chain));
** body += "\n" + Ssl::CertValidationMsg::param_SNI + "=" + vcert.SNI **
if (const char *sslVersion = SSL_get_version(vcert.ssl))
body += "\n" + Ssl::CertValidationMsg::param_proto_version + "=" + sslVersion;
</cert_validate_message.cc >
Best Regards
Sebastian
More information about the squid-users
mailing list