For CONNECT requests that initiated bumping of
a connection and for any request received on
an already bumped connection, Squid logs the
- corresponding SslBump mode ("server-first" or
- "client-first"). See the ssl_bump option for
- more information about these modes.
+ corresponding SslBump mode ("splice", "bump",
+ "peek", "stare", "terminate", "server-first"
+ or "client-first"). See the ssl_bump option
+ for more information about these modes.
A "none" token is logged for requests that
triggered "ssl_bump" ACL evaluation matching
- either a "none" rule or no rules at all.
+ a "none" rule.
In all other cases, a single dash ("-") is
logged.
/**
* A callback function to use with the ACLFilledChecklist callback.
- * In the case of ACCESS_ALLOWED answer initializes a bumped SSL connection,
- * else reverts the connection to tunnel mode.
*/
static void
httpsSslBumpAccessCheckDone(allow_t answer, void *data)
if (!connState->isOpen())
return;
- // Require both a match and a positive bump mode to work around exceptional
- // cases where ACL code may return ACCESS_ALLOWED with zero answer.kind.
- if (answer == ACCESS_ALLOWED && answer.kind != Ssl::bumpNone) {
- debugs(33, 2, "sslBump needed for " << connState->clientConnection << " method " << answer.kind);
+ if (answer == ACCESS_ALLOWED) {
+ debugs(33, 2, "sslBump action " << Ssl::bumpMode(answer.kind) << "needed for " << connState->clientConnection);
connState->sslBumpMode = static_cast<Ssl::BumpMode>(answer.kind);
} else {
- debugs(33, 2, HERE << "sslBump not needed for " << connState->clientConnection);
- connState->sslBumpMode = Ssl::bumpNone;
+ debugs(33, 3, "sslBump not needed for " << connState->clientConnection);
+ connState->sslBumpMode = Ssl::bumpSplice;
+ }
+
+ if (connState->sslBumpMode == Ssl::bumpTerminate) {
+ connState->clientConnection->close();
+ return;
}
+
if (!connState->fakeAConnectRequest("ssl-bump", connState->inBuf))
connState->clientConnection->close();
}
Must(context && context->http);
HttpRequest::Pointer request = context->http->request;
debugs(83, 5, "Got something other than TLS Client Hello. Cannot SslBump.");
- sslBumpMode = Ssl::bumpNone;
+ sslBumpMode = Ssl::bumpSplice;
+ context->http->al->ssl.bumpMode = Ssl::bumpSplice;
if (!clientTunnelOnError(this, context, request, HttpRequestMethod(), ERR_PROTOCOL_UNKNOWN))
clientConnection->close();
return;
connState->serverBump()->act.step2 = bumpAction;
connState->sslBumpMode = bumpAction;
+ Http::StreamPointer context = connState->pipeline.front();
+ if (ClientHttpRequest *http = (context ? context->http : nullptr))
+ http->al->ssl.bumpMode = bumpAction;
if (bumpAction == Ssl::bumpTerminate) {
connState->clientConnection->close();
return;
const Ssl::BumpMode bumpMode = answer == ACCESS_ALLOWED ?
- static_cast<Ssl::BumpMode>(answer.kind) : Ssl::bumpNone;
+ static_cast<Ssl::BumpMode>(answer.kind) : Ssl::bumpSplice;
http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed
http->al->ssl.bumpMode = bumpMode; // for logging
+ if (bumpMode == Ssl::bumpTerminate) {
+ const Comm::ConnectionPointer clientConn = http->getConn() ? http->getConn()->clientConnection : nullptr;
+ if (Comm::IsConnOpen(clientConn)) {
+ debugs(85, 3, "closing after Ssl::bumpTerminate ");
+ clientConn->close();
+ }
+ return;
+ }
+
http->doCallouts();
}
#endif
projects / thirdparty / squid.git / commitdiff
