------------------------------------------------------------ revno: 13699 revision-id: squid3@treenet.co.nz-20141220160508-flie60i044v5l558 parent: squid3@treenet.co.nz-20141220160028-0fmjbyorgqqojpyh author: Christos Tsantilas committer: Amos Jeffries branch nick: 3.5 timestamp: Sat 2014-12-20 08:05:08 -0800 message: Fix peek-and-splice mode: certificate validation for domain mismatched errors Currently squid does not check for domain mismatched errors while validates the server certificate on peek and splice mode, even if the server hostname is known from SNI info or from CONNECT request string. This is a Measurement Factory project ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20141220160508-flie60i044v5l558 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # testament_sha1: c55a25814f33afc8d07b7381beb384f4cfa759f2 # timestamp: 2014-12-20 16:38:49 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # base_revision_id: squid3@treenet.co.nz-20141220160028-\ # 0fmjbyorgqqojpyh # # Begin patch === modified file 'src/ssl/PeerConnector.cc' --- src/ssl/PeerConnector.cc 2014-10-07 17:26:33 +0000 +++ src/ssl/PeerConnector.cc 2014-12-20 16:05:08 +0000 @@ -163,6 +163,13 @@ srvBio->recordInput(true); srvBio->mode(request->clientConnectionManager->sslBumpMode); } + + const bool isConnectRequest = request->clientConnectionManager.valid() && + !request->clientConnectionManager->port->flags.isIntercepted(); + if (isConnectRequest) + SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request->GetHost()); + else if (!features.serverName.isEmpty()) + SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)features.serverName.c_str()); } } else { // While we are peeking at the certificate, we may not know the server