When tunneling a TLS connection through an HTTP proxy the hostname of the proxy server is incorrectly used for peer verification. As-is the following error will be raised:
em-http-request-1.1.7/lib/em-http/http_connection.rb:72:in `ssl_handshake_completed': host "some.proxy.server.tld" does not match the server certificate (OpenSSL::SSL::SSLError)
When tunneling a TLS connection through an HTTP proxy the hostname of the proxy server is incorrectly used for peer verification. As-is the following error will be raised:
It seems that this is because
connopts.hostwill always contain the proxy hostname when a proxy is configured and is unconditionally used for peer verification.The resolution suggested in this PR is instead using
@tls[:sni_hostname]which will contain the correct downstream hostname.