git.ipfire.org Git - thirdparty/squid.git/commit

author	Amos Jeffries <squid3@treenet.co.nz>
	Tue, 11 Aug 2015 04:41:55 +0000 (21:41 -0700)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Tue, 11 Aug 2015 04:41:55 +0000 (21:41 -0700)
commit	d4ab7b6303319cc3cc6b5f17254dcd50c1379201
tree	a0fd920ad816c8e68c7412553f03831924f4ca59	tree
parent	40274c244762f6d446e4c2846526b962e70707e8	commit \| diff

TLS: fix various bugs in HTTPS proxying context creation

cache_peer with "ssl" option and DIRECT HTTPS outgoing traffic was
not having TLS context initialized at all. Resulting in TLS outgoing
being disabled unless explicit extra options were used.

With this patch:

The default squid.conf sets "tls_outgoing_options min-version=1.0".
Which auto-enables DIRECT outgoing, the new explicit "disable" option
is required to turn off.

http_port ... protocol=HTTPS and https_port forces
"encryptTransport=true;" explicitly based on the expected protocol. So
it is either enabled by the parse() call when TLS options are used, or
forced on anyway later when the protocol is validated.

icaps:// services also explicitly set "encryptTransport=true;"
explicitly based on 's' in the service URI scheme.

The cache_peer requires a minimum of "ssl" option to be configured. Any
use of TLS/SSL options other than "disable" will enable TLS to the peer.

In summary TLS should be:

* default-on for all https_port, icaps:// services, and outgoing
https:// traffic.

* manually enabled on cache_peer and http_port.

* manually disabled on outgoing https:// traffic.

src/adaptation/ServiceConfig.cc		diff \| blob \| blame \| history
src/cache_cf.cc		diff \| blob \| blame \| history
src/security/PeerOptions.cc		diff \| blob \| blame \| history