git.ipfire.org Git - thirdparty/squid.git/commit

author	Christos Tsantilas <christos@chtsanti.net>
	Thu, 11 Feb 2021 22:31:00 +0000 (22:31 +0000)
committer	Squid Anubis <squid-anubis@squid-cache.org>
	Thu, 11 Feb 2021 22:31:04 +0000 (22:31 +0000)
commit	d2f0c10659152f0b99e4a21c1040dfc3d260f92e
tree	5a68221b01fb5f0f3ed57f6701e6b12568b7d7d7	tree \| snapshot
parent	c64d8e60a3f04951509929c03ab57d99b2c068e7	commit \| diff

Detail certificate validation errors during TLS handshake (#770)

Fix certificate validation error handling in Security::Connect/Accept().
The existing validation details were not propagated/copied to IoResult,
requiring the caller to extract them via ssl_ex_index_ssl_error_detail.
The clunky approach even required a special "ErrorDetail generations"
API to figure out which error detail is "primary": the one received in
IoResult or the just extracted one. That API is removed now.

This change is used by the upcoming improvements that fetch missing TLS
v1.3 server certificates, but it also has an immediate positive effect
on the existing reporting of the client certificate validation errors.
Currently, only a general TLS error is reported for those cases because
Security::Accept() code forgot to check ssl_ex_index_ssl_error_detail.

This is a Measurement Factory project.

src/security/ErrorDetail.cc		diff \| blob \| blame \| history
src/security/ErrorDetail.h		diff \| blob \| blame \| history
src/security/Io.cc		diff \| blob \| blame \| history
src/security/PeerConnector.cc		diff \| blob \| blame \| history
src/ssl/PeekingPeerConnector.cc		diff \| blob \| blame \| history