Squid-to-origin SNI for ssl-bump

This patch adds Squid-to-server SSL Server Name Indication (SNI) support to the
outgoing connections in Squid.


=== modified file 'src/forward.cc'
--- src/forward.cc	2011-05-06 09:10:34 +0000
+++ src/forward.cc	2011-05-10 16:02:09 +0000
@@ -684,6 +684,10 @@
 
     } else {
         SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request->GetHost());
+
+        // We need to set SNI TLS extension only in the case we are
+        // connecting direct to origin server
+        Ssl::setClientSNI(ssl, request->GetHost());
     }
 
     // Create the ACL check list now, while we have access to more info.

=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc	2011-05-04 07:19:55 +0000
+++ src/ssl/support.cc	2011-05-10 16:01:08 +0000
@@ -1237,4 +1237,23 @@
     return ret;
 }
 
+bool
+Ssl::setClientSNI(SSL *ssl, const char *hostname)
+{
+    //The SSL_CTRL_SET_TLSEXT_HOSTNAME is a openssl macro which indicates
+    // if the TLS servername extension (SNI) is enabled in openssl library.
+#if defined(SSL_CTRL_SET_TLSEXT_HOSTNAME)
+    if (!SSL_set_tlsext_host_name(ssl, hostname)) {
+        const int ssl_error = ERR_get_error();
+        debugs(83, 3,  "WARNING: unable to set TLS servername extension (SNI): " <<
+               ERR_error_string(ssl_error, NULL) << "\n");
+        return false;
+    }
+    return true;
+#else
+    debugs(83, 7,  "no support for TLS servername extension (SNI)\n");
+    return false;
+#endif
+}
+
 #endif /* USE_SSL */

=== modified file 'src/ssl/support.h'
--- src/ssl/support.h	2010-12-14 01:12:24 +0000
+++ src/ssl/support.h	2011-05-10 10:20:09 +0000
@@ -132,6 +132,13 @@
  */
 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
 
+/**
+   \ingroup ServerProtocolSSLAPI
+   * Sets the hostname for the Server Name Indication (SNI) TLS extension
+   * if supported by the used openssl toolkit.
+   \return true if SNI set false otherwise
+*/
+bool setClientSNI(SSL *ssl, const char *hostname);
 } //namespace Ssl
 
 #ifdef _SQUID_MSWIN_