Fixed handling of invalid SSL server certificates when splicing connections.
An unpatched Squid in peek-and-splice mode may splice connections after
receiving a malformed or unsupported SSL server Hello message. This may
happen even if sslproxy_cert_error tells Squid to honor the error. After
this change, Squid honors sslproxy_cert_error setting when:
* no server certificate was found and checked using Squid validation procedure
(e.g., because the SSL server Hello response was malformed or unsupported); or
* Squid server certificate validation procedure has failed.
If the certificate error is not allowed, Squid terminates the server connection
and attempts to bump the client connection to deliver the error message to the
user.
projects / thirdparty / squid.git / commit
