git.ipfire.org Git - thirdparty/squid.git/commit

Hello forwarding patch

Patch general description:
  - Adds the peek-and-splice SSL bumping mode.

  - The squid client side read the ssl client hello message. At this time just
    buffer the hello message and does not pass it to openSSL subsytem.
    The SSL-client-to-squid connection pauses here.

  - Squid extracts the ssl client hello message features and configure the
    squid-to-SSL-server SSL context to have the same features

  - Squid sents the SSL hello message to SSL server and gets the response.
    At this time just buffer the SSL server hello response and does not pass it
    to openSSL subsystem. The squid-to-SSL-server connection pauses here.

  - Squids decides (at this time always) to bump the connection, so it starts
    the squid-to-SSL-server connection. The connection to SSL server
    established.

  - Squids gets the server certificates, builds new based on these certificates
    and configure the SSL-client-to-squid SSL context with the generated
    certificates, and allow the client hello message to enter openSSL subsystem
    and establish the SSL connection with the client.

Technical details:
  - client_side.cc:
     The clientNegotiateSSL split in to two functions the clientNegotiateSSL and
     Squid_SSL_accept, to support the new "pause SSL connection" feature.
     Add three new ConnStateData methods (startPeekAndSplice, startPeekAndSpliceDone
     and doPeekAndSpliceStep) to control SSL-client-to-squid connection pause/start.

  - forward.cc:
    Add code to the FwdState::initiateSSL method to retrieve SSL features from
    client SSL hello message and configure the SSL connectio with the SSL
    server.
    A new method added, the FwdState::checkForPeekAndSplice which called for
    peek-and-splice SSL bumping mode to decide if we need to splice or bump
    the SSL connection.

  - ssl/bio.cc, features added:
    Ssl::ClientBio: Read and buffer the hello message
    Ssl::ServerBio: Hacks the openSSL hello message while the message sent to
                    the server.
                    Buffer the SSL server hello message response
    Ssl::Bio:sslFeatures: A new class which is able to extract and store SSL
                    features from SSL openSSL objects, or from raw SSL hello
                    messages.

author	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Mon, 1 Apr 2013 15:37:42 +0000 (18:37 +0300)
committer	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Mon, 1 Apr 2013 15:37:42 +0000 (18:37 +0300)
commit	d620ae0e088b9dd97704a66e67f88d8f02d8e509
tree	caeb9f270aa99ced9b98ac6a742d4cef5d7dff61	tree \| snapshot
parent	54f3b0328fb03338d99ffbf2dd81d1d54133a574	commit \| diff

src/cache_cf.cc		diff \| blob \| blame \| history
src/cf.data.pre		diff \| blob \| blame \| history
src/client_side.cc		diff \| blob \| blame \| history
src/client_side.h		diff \| blob \| blame \| history
src/client_side_request.h		diff \| blob \| blame \| history
src/forward.cc		diff \| blob \| blame \| history
src/forward.h		diff \| blob \| blame \| history
src/ssl/ServerBump.cc		diff \| blob \| blame \| history
src/ssl/ServerBump.h		diff \| blob \| blame \| history
src/ssl/bio.cc		diff \| blob \| blame \| history
src/ssl/bio.h		diff \| blob \| blame \| history
src/ssl/support.cc		diff \| blob \| blame \| history
src/ssl/support.h		diff \| blob \| blame \| history