On 07/31/2014 07:59 PM, Josh Crane wrote:
> SSL *clientSsl = fd_table[request->clientConnectionManager->clientConnection->fd].ssl;
> BIO *b = SSL_get_rbio(clientSsl);
> Ssl::ClientBio *clnBio = static_cast<Ssl::ClientBio *>(b->ptr);
> const Ssl::Bio::sslFeatures &features = clnBio->getFeatures();
> ...
> if (!features.serverName.empty())
> SSL_set_tlsext_host_name(ssl, features.serverName.c_str());
>
> <<
> Given the above and related code within bio/clientbio, I'd like to be
> able to call SSL_get_servername() or similar to grab the target https
> hostname (via TLS SNI) from within httpsAccept() (ie before a peek is
> performed).
> Is this possible?
It is possible in client-first bumping mode (which has many limitations
unrelated to SNI, unfortunately).
Server-first bumping peeks at the origin server before the handshake
with the client (in the current official code). To get SNI info, Squid
has to receive and process SSL client Hello. The combination prohibits
you from using SNI with server-first bumping (without all the extra BIO
work performed by the Peek and Splice branch).
> and given that's all I want from the peek/slice branch atm, is it
> easy enough to merge the relevant sections with stable to achieve
> what I want?
I believe the ease of porting that code depends on the bumping mode (see
above). Please keep in mind, that the Peek and Splice branch should be
submitted for official audit very soon.
> Also, is it possible to get the peek/slice branch neatly packaged for
> config/compilation on generic (various) distributions?
Possible but hopefully pointless because I hope that the polished Peek
and Splice code to be officially accepted in the nearest future. If you
want to help with polishing and testing, please let me know.
HTH,
Alex.
Received on Mon Aug 04 2014 - 04:00:19 MDT
This archive was generated by hypermail 2.2.0 : Mon Aug 04 2014 - 12:00:11 MDT