Now the site field in PassSite option can have an '*' suffix to search
for a match anywhere in sni or common names. Note that this is not a
regex or wildcard search.
Previously, we only supported exact matches in sni and between slashes
in common names. This change makes it possible to cover multiple sites
in one PassSite option. In fact, without this change, certain sites
could not be added as passsite, because it was impossible to know their
subdomain names beforehand, for example *.fbcdn.net, which may have many
subdomain names in place of asterisk.
So to use substring match, append an '*' to a site name in PassSite
option (the asterisk is removed before substring search). For example,
use ".fbcdn.net*" to match all subdomains of fbcdn.net, notice the
asterisk at the end.
We also add a warning log starting with "Closing on ssl error without
passsite match" to report sites that can be added as passsite, which is
expected to help in writing PassSite rules.
Also, we now set dstaddr_str earlier in conn handling, so we can print
it in debug logs. This also helps in IDLE and EXPIRED conn logs.
log_err_level_printf(LOG_WARNING,"Found pass site: %.*s for ip %s\n",(int)strlen(passsite->site)-2,passsite->site+1,STRORDASH(passsite->ip));
log_err_level_printf(LOG_WARNING,"Found pass site: %.*s for ip %s\n",(int)strlen(passsite->site)-2,passsite->site+1,STRORDASH(passsite->ip));
#endif /* WITHOUT_USERAUTH */
// Differentiate passsite from passthrough option by raising the passsite flag
ctx->sslctx->passsite=1;
cert_free(cert);
returnNULL;
}elseif(rv==-1){
// enomem
cert_free(cert);
returnNULL;
// Differentiate passsite from passthrough option by raising the passsite flag
ctx->sslctx->passsite=1;
cert_free(cert);
returnNULL;
}elseif(rv==-1){
// enomem
cert_free(cert);
returnNULL;
}
}
passsite=passsite->next;
}
passsite=passsite->next;
log_finest_va("No passsite match with sni or common name: %s:%s, %s:%s, %s, %s, %s, %s",STRORDASH(ctx->srchost_str),STRORDASH(ctx->srcport_str),STRORDASH(ctx->dsthost_str),STRORDASH(ctx->dstport_str),STRORDASH(ctx->user),STRORDASH(ctx->desc),STRORDASH(ctx->sslctx->sni),STRORDASH(ctx->sslctx->ssl_names));