1 ------------------------------------------------------------
3 revision-id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
4 parent: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
5 author: Christos Tsantilas <chtsanti@users.sourceforge.net>
6 committer: Amos Jeffries <squid3@treenet.co.nz>
8 timestamp: Mon 2016-11-14 23:51:24 +1300
10 Fix ssl::server_name ACL badly broken since inception.
12 The original server_name code mishandled all SNI checks and some rare
15 * The SNI-derived value was pointing to an already freed memory storage.
16 * Missing host-derived values were not detected (host() is never nil).
17 * Mismatches were re-checked with an undocumented "none" value
18 instead of being treated as mismatches.
20 Same for ssl::server_name_regex.
22 Also set SNI for more server-first and client-first transactions.
24 This is a Measurement Factory project.
25 ------------------------------------------------------------
26 # Bazaar merge directive format 2 (Bazaar 0.90)
27 # revision_id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
28 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
29 # testament_sha1: 46aadc410b46d91d597218961dbf1c634fb834fb
30 # timestamp: 2016-11-14 10:56:00 +0000
31 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
32 # base_revision_id: squid3@treenet.co.nz-20161111060325-\
36 === modified file 'src/acl/ServerName.cc'
37 --- src/acl/ServerName.cc 2016-09-08 12:27:06 +0000
38 +++ src/acl/ServerName.cc 2016-11-14 10:51:24 +0000
41 assert(checklist != NULL && checklist->request != NULL);
43 - if (checklist->conn() && checklist->conn()->serverBump()) {
44 - if (X509 *peer_cert = checklist->conn()->serverBump()->serverCert.get()) {
45 - if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>))
50 const char *serverName = NULL;
51 - if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty()) {
52 - SBuf scn = checklist->conn()->sslCommonName();
53 - serverName = scn.c_str();
56 - if (serverName == NULL)
57 - serverName = checklist->request->GetHost();
59 - if (serverName && data->match(serverName)) {
63 - return data->match("none");
64 + SBuf serverNameKeeper; // because c_str() is not constant
65 + if (ConnStateData *conn = checklist->conn()) {
66 + if (conn->serverBump()) {
67 + if (X509 *peer_cert = conn->serverBump()->serverCert.get())
68 + return Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>);
71 + if (conn->sslCommonName().isEmpty()) {
72 + const char *host = checklist->request->GetHost();
73 + if (host && *host) // paranoid first condition: host() is never nil
76 + serverNameKeeper = conn->sslCommonName();
77 + serverName = serverNameKeeper.c_str();
82 + serverName = "none";
84 + return data->match(serverName);
87 ACLServerNameStrategy *
89 === modified file 'src/cf.data.pre'
90 --- src/cf.data.pre 2016-10-29 23:26:28 +0000
91 +++ src/cf.data.pre 2016-11-14 10:51:24 +0000
93 # During each Ssl-Bump step, Squid may improve its understanding of a
94 # "true server name". Unlike dstdomain, this ACL does not perform
96 + # The "none" name can be used to match transactions where Squid
97 + # could not compute the server name using any information source
98 + # already available at the ACL evaluation time.
100 acl aclname ssl::server_name_regex [-i] \.foo\.com ...
101 # regex matches server name obtained from various sources [fast]