2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H
10 #define SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H
12 #include "security/PeerConnector.h"
19 /// A PeerConnector for HTTP origin servers. Capable of SslBumping.
20 class PeekingPeerConnector
: public Security::PeerConnector
{
21 CBDATA_CLASS(PeekingPeerConnector
);
23 PeekingPeerConnector(HttpRequestPointer
&aRequest
,
24 const Comm::ConnectionPointer
&aServerConn
,
25 const Comm::ConnectionPointer
&aClientConn
,
26 AsyncCall::Pointer
&aCallback
,
27 const AccessLogEntryPointer
&alp
,
28 const time_t timeout
= 0) :
29 AsyncJob("Ssl::PeekingPeerConnector"),
30 Security::PeerConnector(aServerConn
, aCallback
, alp
, timeout
),
31 clientConn(aClientConn
),
33 resumingSession(false),
34 serverCertificateHandled(false)
39 /* Security::PeerConnector API */
40 virtual bool initialize(Security::SessionPointer
&);
41 virtual Security::ContextPointer
getTlsContext();
42 virtual void noteWantWrite();
43 virtual void noteNegotiationError(const int result
, const int ssl_error
, const int ssl_lib_error
);
44 virtual void noteNegotiationDone(ErrorState
*error
);
46 /// Updates associated client connection manager members
47 /// if the server certificate was received from the server.
48 void handleServerCertificate();
50 /// Initiates the ssl_bump acl check in step3 SSL bump step to decide
51 /// about bumping, splicing or terminating the connection.
52 void checkForPeekAndSplice();
54 /// Callback function for ssl_bump acl check in step3 SSL bump step.
55 void checkForPeekAndSpliceDone(allow_t answer
);
57 /// Handles the final bumping decision.
58 void checkForPeekAndSpliceMatched(const Ssl::BumpMode finalMode
);
60 /// Guesses the final bumping decision when no ssl_bump rules match.
61 Ssl::BumpMode
checkForPeekAndSpliceGuess() const;
63 /// Runs after the server certificate verified to update client
64 /// connection manager members
65 void serverCertificateVerified();
67 /// A wrapper function for checkForPeekAndSpliceDone for use with acl
68 static void cbCheckForPeekAndSpliceDone(allow_t answer
, void *data
);
72 /// Inform caller class that the SSL negotiation aborted
73 void tunnelInsteadOfNegotiating();
75 Comm::ConnectionPointer clientConn
; ///< TCP connection to the client
76 AsyncCall::Pointer closeHandler
; ///< we call this when the connection closed
77 bool splice
; ///< whether we are going to splice or not
78 bool resumingSession
; ///< whether it is an SSL resuming session connection
79 bool serverCertificateHandled
; ///< whether handleServerCertificate() succeeded
84 #endif /* USE_OPENSSL */
85 #endif /* SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H */