2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 83 TLS Server/Peer negotiation */
12 #include "acl/FilledChecklist.h"
13 #include "comm/Loops.h"
14 #include "Downloader.h"
15 #include "errorpage.h"
17 #include "http/Stream.h"
18 #include "HttpRequest.h"
19 #include "security/NegotiationHistory.h"
20 #include "security/PeerConnector.h"
21 #include "SquidConfig.h"
24 #include "ssl/cert_validate_message.h"
25 #include "ssl/Config.h"
26 #include "ssl/helper.h"
29 CBDATA_NAMESPACED_CLASS_INIT(Security
, PeerConnector
);
31 Security::PeerConnector::PeerConnector(const Comm::ConnectionPointer
&aServerConn
, AsyncCall::Pointer
&aCallback
, const AccessLogEntryPointer
&alp
, const time_t timeout
) :
32 AsyncJob("Security::PeerConnector"),
33 serverConn(aServerConn
),
36 negotiationTimeout(timeout
),
37 startTime(squid_curtime
),
38 useCertValidator_(true),
41 debugs(83, 5, "Security::PeerConnector constructed, this=" << (void*)this);
42 // if this throws, the caller's cb dialer is not our CbDialer
43 Must(dynamic_cast<CbDialer
*>(callback
->getDialer()));
46 Security::PeerConnector::~PeerConnector()
48 debugs(83, 5, "Security::PeerConnector destructed, this=" << (void*)this);
51 bool Security::PeerConnector::doneAll() const
53 return (!callback
|| callback
->canceled()) && AsyncJob::doneAll();
56 /// Preps connection and SSL state. Calls negotiate().
58 Security::PeerConnector::start()
61 debugs(83, 5, "this=" << (void*)this);
63 Security::SessionPointer tmp
;
64 if (prepareSocket() && initialize(tmp
))
67 mustStop("Security::PeerConnector TLS socket initialize failed");
71 Security::PeerConnector::commCloseHandler(const CommCloseCbParams
¶ms
)
73 debugs(83, 5, "FD " << params
.fd
<< ", Security::PeerConnector=" << params
.data
);
74 connectionClosed("Security::PeerConnector::commCloseHandler");
78 Security::PeerConnector::connectionClosed(const char *reason
)
80 debugs(83, 5, reason
<< " socket closed/closing. this=" << (void*)this);
86 Security::PeerConnector::prepareSocket()
88 debugs(83, 5, serverConnection() << ", this=" << (void*)this);
89 if (!Comm::IsConnOpen(serverConnection()) || fd_table
[serverConnection()->fd
].closing()) {
90 connectionClosed("Security::PeerConnector::prepareSocket");
94 debugs(83, 5, serverConnection());
96 // watch for external connection closures
97 typedef CommCbMemFunT
<Security::PeerConnector
, CommCloseCbParams
> Dialer
;
98 closeHandler
= JobCallback(9, 5, Dialer
, this, Security::PeerConnector::commCloseHandler
);
99 comm_add_close_handler(serverConnection()->fd
, closeHandler
);
104 Security::PeerConnector::initialize(Security::SessionPointer
&serverSession
)
106 Security::ContextPointer
ctx(getTlsContext());
107 debugs(83, 5, serverConnection() << ", ctx=" << (void*)ctx
.get());
109 if (!ctx
|| !Security::CreateClientSession(ctx
, serverConnection(), "server https start")) {
110 const auto xerrno
= errno
;
112 debugs(83, DBG_IMPORTANT
, "Error initializing TLS connection: No security context.");
113 } // else CreateClientSession() did the appropriate debugs() already
114 ErrorState
*anErr
= new ErrorState(ERR_SOCKET_FAILURE
, Http::scInternalServerError
, request
.getRaw());
115 anErr
->xerrno
= xerrno
;
116 noteNegotiationDone(anErr
);
121 // A TLS/SSL session has now been created for the connection and stored in fd_table
122 serverSession
= fd_table
[serverConnection()->fd
].ssl
;
123 debugs(83, 5, serverConnection() << ", session=" << (void*)serverSession
.get());
126 // If CertValidation Helper used do not lookup checklist for errors,
127 // but keep a list of errors to send it to CertValidator
128 if (!Ssl::TheConfig
.ssl_crt_validator
) {
129 // Create the ACL check list now, while we have access to more info.
130 // The list is used in ssl_verify_cb() and is freed in ssl_free().
131 if (acl_access
*acl
= ::Config
.ssl_client
.cert_error
) {
132 ACLFilledChecklist
*check
= new ACLFilledChecklist(acl
, request
.getRaw(), dash_str
);
134 // check->fd(fd); XXX: need client FD here
135 SSL_set_ex_data(serverSession
.get(), ssl_ex_index_cert_error_check
, check
);
144 Security::PeerConnector::setReadTimeout()
147 if (negotiationTimeout
) {
148 const int timeUsed
= squid_curtime
- startTime
;
149 const int timeLeft
= max(0, static_cast<int>(negotiationTimeout
- timeUsed
));
150 timeToRead
= min(static_cast<int>(::Config
.Timeout
.read
), timeLeft
);
152 timeToRead
= ::Config
.Timeout
.read
;
153 AsyncCall::Pointer nil
;
154 commSetConnTimeout(serverConnection(), timeToRead
, nil
);
158 Security::PeerConnector::recordNegotiationDetails()
160 const int fd
= serverConnection()->fd
;
161 Security::SessionPointer
session(fd_table
[fd
].ssl
);
163 // retrieve TLS server negotiated information if any
164 serverConnection()->tlsNegotiations()->retrieveNegotiatedInfo(session
);
167 // retrieve TLS parsed extra info
168 BIO
*b
= SSL_get_rbio(session
.get());
169 Ssl::ServerBio
*bio
= static_cast<Ssl::ServerBio
*>(BIO_get_data(b
));
170 if (const Security::TlsDetails::Pointer
&details
= bio
->receivedHelloDetails())
171 serverConnection()->tlsNegotiations()->retrieveParsedInfo(details
);
176 Security::PeerConnector::negotiate()
178 if (!Comm::IsConnOpen(serverConnection()))
181 const int fd
= serverConnection()->fd
;
182 if (fd_table
[fd
].closing())
186 auto session
= fd_table
[fd
].ssl
.get();
187 debugs(83, 5, "SSL_connect session=" << (void*)session
);
188 const int result
= SSL_connect(session
);
191 auto session
= fd_table
[fd
].ssl
.get();
192 const int result
= gnutls_handshake(session
);
193 debugs(83, 5, "gnutls_handshake session=" << (void*)session
<< ", result=" << result
);
195 if (result
== GNUTLS_E_SUCCESS
) {
196 char *desc
= gnutls_session_get_desc(session
);
197 debugs(83, 2, serverConnection() << " TLS Session info: " << desc
);
201 if (result
!= GNUTLS_E_SUCCESS
) {
202 // debug the TLS session state so far
203 auto descIn
= gnutls_handshake_get_last_in(session
);
204 debugs(83, 2, "handshake IN: " << gnutls_handshake_description_get_name(descIn
));
205 auto descOut
= gnutls_handshake_get_last_out(session
);
206 debugs(83, 2, "handshake OUT: " << gnutls_handshake_description_get_name(descOut
));
208 if (const int result
= -1) {
210 handleNegotiateError(result
);
211 return; // we might be gone by now
214 recordNegotiationDetails();
223 Security::PeerConnector::sslFinalized()
226 if (Ssl::TheConfig
.ssl_crt_validator
&& useCertValidator_
) {
227 const int fd
= serverConnection()->fd
;
228 Security::SessionPointer
session(fd_table
[fd
].ssl
);
230 Ssl::CertValidationRequest validationRequest
;
231 // WARNING: Currently we do not use any locking for 'errors' member
232 // of the Ssl::CertValidationRequest class. In this code the
233 // Ssl::CertValidationRequest object used only to pass data to
234 // Ssl::CertValidationHelper::submit method.
235 validationRequest
.ssl
= session
;
236 if (SBuf
*dName
= (SBuf
*)SSL_get_ex_data(session
.get(), ssl_ex_index_server
))
237 validationRequest
.domainName
= dName
->c_str();
238 if (Security::CertErrors
*errs
= static_cast<Security::CertErrors
*>(SSL_get_ex_data(session
.get(), ssl_ex_index_ssl_errors
)))
239 // validationRequest disappears on return so no need to cbdataReference
240 validationRequest
.errors
= errs
;
242 debugs(83, 5, "Sending SSL certificate for validation to ssl_crtvd.");
243 AsyncCall::Pointer call
= asyncCall(83,5, "Security::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Security::PeerConnector::sslCrtvdHandleReply
, nullptr));
244 Ssl::CertValidationHelper::GetInstance()->sslSubmit(validationRequest
, call
);
246 } catch (const std::exception
&e
) {
247 debugs(83, DBG_IMPORTANT
, "ERROR: Failed to compose ssl_crtvd " <<
248 "request for " << validationRequest
.domainName
<<
249 " certificate: " << e
.what() << "; will now block to " <<
250 "validate that certificate.");
251 // fall through to do blocking in-process generation.
252 ErrorState
*anErr
= new ErrorState(ERR_GATEWAY_FAILURE
, Http::scInternalServerError
, request
.getRaw());
254 noteNegotiationDone(anErr
);
262 noteNegotiationDone(NULL
);
268 Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse
)
270 Must(validationResponse
!= NULL
);
272 Ssl::ErrorDetail
*errDetails
= NULL
;
273 bool validatorFailed
= false;
274 if (!Comm::IsConnOpen(serverConnection())) {
278 if (Debug::Enabled(83, 5)) {
279 Security::SessionPointer
ssl(fd_table
[serverConnection()->fd
].ssl
);
280 SBuf
*server
= static_cast<SBuf
*>(SSL_get_ex_data(ssl
.get(), ssl_ex_index_server
));
281 debugs(83,5, RawPointer("host", server
) << " cert validation result: " << validationResponse
->resultCode
);
284 if (validationResponse
->resultCode
== ::Helper::Error
) {
285 if (Security::CertErrors
*errs
= sslCrtvdCheckForErrors(*validationResponse
, errDetails
)) {
286 Security::SessionPointer
session(fd_table
[serverConnection()->fd
].ssl
);
287 Security::CertErrors
*oldErrs
= static_cast<Security::CertErrors
*>(SSL_get_ex_data(session
.get(), ssl_ex_index_ssl_errors
));
288 SSL_set_ex_data(session
.get(), ssl_ex_index_ssl_errors
, (void *)errs
);
291 } else if (validationResponse
->resultCode
!= ::Helper::Okay
)
292 validatorFailed
= true;
294 if (!errDetails
&& !validatorFailed
) {
295 noteNegotiationDone(NULL
);
300 ErrorState
*anErr
= NULL
;
301 if (validatorFailed
) {
302 anErr
= new ErrorState(ERR_GATEWAY_FAILURE
, Http::scInternalServerError
, request
.getRaw());
304 anErr
= new ErrorState(ERR_SECURE_CONNECT_FAIL
, Http::scServiceUnavailable
, request
.getRaw());
305 anErr
->detail
= errDetails
;
306 /*anErr->xerrno= Should preserved*/
309 noteNegotiationDone(anErr
);
317 /// Checks errors in the cert. validator response against sslproxy_cert_error.
318 /// The first honored error, if any, is returned via errDetails parameter.
319 /// The method returns all seen errors except SSL_ERROR_NONE as Security::CertErrors.
320 Security::CertErrors
*
321 Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse
const &resp
, Ssl::ErrorDetail
*& errDetails
)
323 ACLFilledChecklist
*check
= NULL
;
324 if (acl_access
*acl
= ::Config
.ssl_client
.cert_error
) {
325 check
= new ACLFilledChecklist(acl
, request
.getRaw(), dash_str
);
329 Security::CertErrors
*errs
= nullptr;
330 Security::SessionPointer
session(fd_table
[serverConnection()->fd
].ssl
);
331 typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI
;
332 for (SVCRECI i
= resp
.errors
.begin(); i
!= resp
.errors
.end(); ++i
) {
333 debugs(83, 7, "Error item: " << i
->error_no
<< " " << i
->error_reason
);
335 assert(i
->error_no
!= SSL_ERROR_NONE
);
338 bool allowed
= false;
340 check
->sslErrors
= new Security::CertErrors(Security::CertError(i
->error_no
, i
->cert
, i
->error_depth
));
341 if (check
->fastCheck().allowed())
344 // else the Config.ssl_client.cert_error access list is not defined
345 // and the first error will cause the error page
348 debugs(83, 3, "bypassing SSL error " << i
->error_no
<< " in " << "buffer");
350 debugs(83, 5, "confirming SSL error " << i
->error_no
);
351 X509
*brokenCert
= i
->cert
.get();
352 Security::CertPointer
peerCert(SSL_get_peer_certificate(session
.get()));
353 const char *aReason
= i
->error_reason
.empty() ? NULL
: i
->error_reason
.c_str();
354 errDetails
= new Ssl::ErrorDetail(i
->error_no
, peerCert
.get(), brokenCert
, aReason
);
357 delete check
->sslErrors
;
358 check
->sslErrors
= NULL
;
363 errs
= new Security::CertErrors(Security::CertError(i
->error_no
, i
->cert
, i
->error_depth
));
365 errs
->push_back_unique(Security::CertError(i
->error_no
, i
->cert
, i
->error_depth
));
374 /// A wrapper for Comm::SetSelect() notifications.
376 Security::PeerConnector::NegotiateSsl(int, void *data
)
378 PeerConnector
*pc
= static_cast<Security::PeerConnector
*>(data
);
379 // Use job calls to add done() checks and other job logic/protections.
380 CallJobHere(83, 7, pc
, Security::PeerConnector
, negotiate
);
384 Security::PeerConnector::handleNegotiateError(const int ret
)
386 const int fd
= serverConnection()->fd
;
387 const Security::SessionPointer
session(fd_table
[fd
].ssl
);
388 unsigned long ssl_lib_error
= ret
;
391 const int ssl_error
= SSL_get_error(session
.get(), ret
);
394 case SSL_ERROR_WANT_READ
:
398 case SSL_ERROR_WANT_WRITE
:
403 case SSL_ERROR_SYSCALL
:
404 ssl_lib_error
= ERR_get_error();
405 // proceed to the general error handling code
408 // no special error handling for all other errors
409 ssl_lib_error
= SSL_ERROR_NONE
;
414 const int ssl_error
= ret
;
417 case GNUTLS_E_WARNING_ALERT_RECEIVED
: {
418 auto alert
= gnutls_alert_get(session
.get());
419 debugs(83, DBG_IMPORTANT
, "TLS ALERT: " << gnutls_alert_get_name(alert
));
421 // drop through to next case
424 case GNUTLS_E_INTERRUPTED
:
425 if (gnutls_record_get_direction(session
.get()) == 0)
432 // no special error handling for all other errors
437 // this avoids unused variable compiler warnings.
439 const int ssl_error
= ret
;
442 // Log connection details, if any
443 recordNegotiationDetails();
444 noteNegotiationError(ret
, ssl_error
, ssl_lib_error
);
448 Security::PeerConnector::noteWantRead()
450 const int fd
= serverConnection()->fd
;
451 debugs(83, 5, serverConnection());
453 Security::SessionPointer
session(fd_table
[fd
].ssl
);
454 BIO
*b
= SSL_get_rbio(session
.get());
455 Ssl::ServerBio
*srvBio
= static_cast<Ssl::ServerBio
*>(BIO_get_data(b
));
456 if (srvBio
->holdRead()) {
457 if (srvBio
->gotHello()) {
458 if (checkForMissingCertificates())
459 return; // Wait to download certificates before proceed.
461 srvBio
->holdRead(false);
462 // schedule a negotiateSSl to allow openSSL parse received data
463 Security::PeerConnector::NegotiateSsl(fd
, this);
465 } else if (srvBio
->gotHelloFailed()) {
466 srvBio
->holdRead(false);
467 debugs(83, DBG_IMPORTANT
, "Error parsing SSL Server Hello Message on FD " << fd
);
468 // schedule a negotiateSSl to allow openSSL parse received data
469 Security::PeerConnector::NegotiateSsl(fd
, this);
475 Comm::SetSelect(fd
, COMM_SELECT_READ
, &NegotiateSsl
, this, 0);
479 Security::PeerConnector::noteWantWrite()
481 const int fd
= serverConnection()->fd
;
482 debugs(83, 5, serverConnection());
483 Comm::SetSelect(fd
, COMM_SELECT_WRITE
, &NegotiateSsl
, this, 0);
488 Security::PeerConnector::noteNegotiationError(const int ret
, const int ssl_error
, const int ssl_lib_error
)
491 int sysErrNo
= EPROTO
;
493 int sysErrNo
= EACCES
;
497 // store/report errno when ssl_error is SSL_ERROR_SYSCALL, ssl_lib_error is 0, and ret is -1
498 if (ssl_error
== SSL_ERROR_SYSCALL
&& ret
== -1 && ssl_lib_error
== 0)
503 const int fd
= serverConnection()->fd
;
504 debugs(83, DBG_IMPORTANT
, "ERROR: negotiating TLS on FD " << fd
<<
505 ": " << Security::ErrorString(ssl_lib_error
) << " (" <<
506 ssl_error
<< "/" << ret
<< "/" << xerr
<< ")");
508 ErrorState
*anErr
= ErrorState::NewForwarding(ERR_SECURE_CONNECT_FAIL
, request
);
509 anErr
->xerrno
= sysErrNo
;
512 Security::SessionPointer
session(fd_table
[fd
].ssl
);
513 Ssl::ErrorDetail
*errFromFailure
= static_cast<Ssl::ErrorDetail
*>(SSL_get_ex_data(session
.get(), ssl_ex_index_ssl_error_detail
));
514 if (errFromFailure
!= NULL
) {
515 // The errFromFailure is attached to the ssl object
516 // and will be released when ssl object destroyed.
517 // Copy errFromFailure to a new Ssl::ErrorDetail object
518 anErr
->detail
= new Ssl::ErrorDetail(*errFromFailure
);
520 // server_cert can be NULL here
521 X509
*server_cert
= SSL_get_peer_certificate(session
.get());
522 anErr
->detail
= new Ssl::ErrorDetail(SQUID_ERR_SSL_HANDSHAKE
, server_cert
, NULL
);
523 X509_free(server_cert
);
526 if (ssl_lib_error
!= SSL_ERROR_NONE
)
527 anErr
->detail
->setLibError(ssl_lib_error
);
530 noteNegotiationDone(anErr
);
535 Security::PeerConnector::bail(ErrorState
*error
)
537 Must(error
); // or the recepient will not know there was a problem
538 Must(callback
!= NULL
);
539 CbDialer
*dialer
= dynamic_cast<CbDialer
*>(callback
->getDialer());
541 dialer
->answer().error
= error
;
544 // Our job is done. The callabck recepient will probably close the failed
545 // peer connection and try another peer or go direct (if possible). We
546 // can close the connection ourselves (our error notification would reach
547 // the recepient before the fd-closure notification), but we would rather
548 // minimize the number of fd-closure notifications and let the recepient
549 // manage the TCP state of the connection.
553 Security::PeerConnector::callBack()
555 debugs(83, 5, "TLS setup ended for " << serverConnection());
557 AsyncCall::Pointer cb
= callback
;
558 // Do this now so that if we throw below, swanSong() assert that we _tried_
559 // to call back holds.
560 callback
= NULL
; // this should make done() true
562 // remove close handler
563 comm_remove_close_handler(serverConnection()->fd
, closeHandler
);
565 CbDialer
*dialer
= dynamic_cast<CbDialer
*>(cb
->getDialer());
567 dialer
->answer().conn
= serverConnection();
568 ScheduleCallHere(cb
);
572 Security::PeerConnector::swanSong()
574 // XXX: unregister fd-closure monitoring and CommSetSelect interest, if any
575 AsyncJob::swanSong();
576 if (callback
!= NULL
) { // paranoid: we have left the caller waiting
577 debugs(83, DBG_IMPORTANT
, "BUG: Unexpected state while connecting to a cache_peer or origin server");
578 ErrorState
*anErr
= new ErrorState(ERR_GATEWAY_FAILURE
, Http::scInternalServerError
, request
.getRaw());
586 Security::PeerConnector::status() const
591 // TODO: redesign AsyncJob::status() API to avoid this
592 // id and stop reason reporting duplication.
594 if (stopReason
!= NULL
) {
595 buf
.append("Stopped, reason:", 16);
596 buf
.appendf("%s",stopReason
);
598 if (serverConn
!= NULL
)
599 buf
.appendf(" FD %d", serverConn
->fd
);
600 buf
.appendf(" %s%u]", id
.prefix(), id
.value
);
603 return buf
.content();
607 /// CallDialer to allow use Downloader objects within PeerConnector class.
608 class PeerConnectorCertDownloaderDialer
: public Downloader::CbDialer
611 typedef void (Security::PeerConnector::*Method
)(SBuf
&object
, int status
);
613 PeerConnectorCertDownloaderDialer(Method method
, Security::PeerConnector
*pc
):
615 peerConnector_(pc
) {}
618 virtual bool canDial(AsyncCall
&call
) { return peerConnector_
.valid(); }
619 virtual void dial(AsyncCall
&call
) { ((&(*peerConnector_
))->*method_
)(object
, status
); }
620 Method method_
; ///< The Security::PeerConnector method to dial
621 CbcPointer
<Security::PeerConnector
> peerConnector_
; ///< The Security::PeerConnector object
625 Security::PeerConnector::startCertDownloading(SBuf
&url
)
627 AsyncCall::Pointer certCallback
= asyncCall(81, 4,
628 "Security::PeerConnector::certDownloadingDone",
629 PeerConnectorCertDownloaderDialer(&Security::PeerConnector::certDownloadingDone
, this));
631 const Downloader
*csd
= (request
? dynamic_cast<const Downloader
*>(request
->downloader
.valid()) : nullptr);
632 Downloader
*dl
= new Downloader(url
, certCallback
, XactionInitiator::initCertFetcher
, csd
? csd
->nestedLevel() + 1 : 1);
637 Security::PeerConnector::certDownloadingDone(SBuf
&obj
, int downloadStatus
)
640 debugs(81, 5, "Certificate downloading status: " << downloadStatus
<< " certificate size: " << obj
.length());
642 // get ServerBio from SSL object
643 const int fd
= serverConnection()->fd
;
644 Security::SessionPointer
session(fd_table
[fd
].ssl
);
645 BIO
*b
= SSL_get_rbio(session
.get());
646 Ssl::ServerBio
*srvBio
= static_cast<Ssl::ServerBio
*>(BIO_get_data(b
));
648 // Parse Certificate. Assume that it is in DER format.
649 // According to RFC 4325:
650 // The server must provide a DER encoded certificate or a collection
651 // collection of certificates in a "certs-only" CMS message.
652 // The applications MUST accept DER encoded certificates and SHOULD
653 // be able to accept collection of certificates.
654 // TODO: support collection of certificates
655 const unsigned char *raw
= (const unsigned char*)obj
.rawContent();
656 if (X509
*cert
= d2i_X509(NULL
, &raw
, obj
.length())) {
658 debugs(81, 5, "Retrieved certificate: " << X509_NAME_oneline(X509_get_subject_name(cert
), buffer
, 1024));
659 const Security::CertList
&certsList
= srvBio
->serverCertificatesIfAny();
660 if (const char *issuerUri
= Ssl::uriOfIssuerIfMissing(cert
, certsList
)) {
661 urlsOfMissingCerts
.push(SBuf(issuerUri
));
663 Ssl::SSL_add_untrusted_cert(session
.get(), cert
);
666 // Check if there are URIs to download from and if yes start downloading
667 // the first in queue.
668 if (urlsOfMissingCerts
.size() && certsDownloads
<= MaxCertsDownloads
) {
669 startCertDownloading(urlsOfMissingCerts
.front());
670 urlsOfMissingCerts
.pop();
674 srvBio
->holdRead(false);
675 Security::PeerConnector::NegotiateSsl(serverConnection()->fd
, this);
679 Security::PeerConnector::checkForMissingCertificates()
681 // Check for nested SSL certificates downloads. For example when the
682 // certificate located in an SSL site which requires to download a
683 // a missing certificate (... from an SSL site which requires to ...).
685 const Downloader
*csd
= (request
? request
->downloader
.get() : nullptr);
686 if (csd
&& csd
->nestedLevel() >= MaxNestedDownloads
)
689 const int fd
= serverConnection()->fd
;
690 Security::SessionPointer
session(fd_table
[fd
].ssl
);
691 BIO
*b
= SSL_get_rbio(session
.get());
692 Ssl::ServerBio
*srvBio
= static_cast<Ssl::ServerBio
*>(BIO_get_data(b
));
693 const Security::CertList
&certs
= srvBio
->serverCertificatesIfAny();
696 debugs(83, 5, "SSL server sent " << certs
.size() << " certificates");
697 Ssl::missingChainCertificatesUrls(urlsOfMissingCerts
, certs
);
698 if (urlsOfMissingCerts
.size()) {
699 startCertDownloading(urlsOfMissingCerts
.front());
700 urlsOfMissingCerts
.pop();