BIO *bc = SSL_get_rbio(clientSession);
Ssl::ClientBio *cltBio = static_cast<Ssl::ClientBio *>(BIO_get_data(bc));
Must(cltBio);
- if (details && details->tlsVersion.protocol != AnyP::PROTO_NONE) {
+ if (details && details->tlsVersion.protocol != AnyP::PROTO_NONE)
applyTlsDetailsToSSL(serverSession.get(), details, csd->sslBumpMode);
- // Should we allow it for all protocols?
- if (details->tlsVersion.protocol == AnyP::PROTO_TLS || details->tlsVersion == AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0)) {
- BIO *b = SSL_get_rbio(serverSession.get());
- Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
- // Inherite client features, like SSL version, SNI and other
- srvBio->setClientFeatures(details, cltBio->rBufData());
- srvBio->recordInput(true);
- srvBio->mode(csd->sslBumpMode);
- }
- }
+
+ BIO *b = SSL_get_rbio(serverSession.get());
+ Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
+ Must(srvBio);
+ // inherit client features such as TLS version and SNI
+ srvBio->setClientFeatures(details, cltBio->rBufData());
+ srvBio->recordInput(true);
+ srvBio->mode(csd->sslBumpMode);
} else {
// Set client SSL options
SSL_set_options(serverSession.get(), ::Security::ProxyOutgoingConfig.parsedOptions);
Ssl::ServerBio::setClientFeatures(Security::TlsDetails::Pointer const &details, SBuf const &aHello)
{
clientTlsDetails = details;
- clientHelloMessage = aHello;
+ clientSentHello = aHello;
};
int
adjustSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, SBuf &helloMessage)
{
#if SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK
+ if (!details)
+ return false;
+
if (!ssl->s3) {
debugs(83, 5, "No SSLv3 data found!");
return false;
}
if (!helloBuild && (bumpMode_ == Ssl::bumpPeek || bumpMode_ == Ssl::bumpStare)) {
- if (
- buf[1] >= 3 //it is an SSL Version3 message
- && buf[0] == 0x16 // and it is a Handshake/Hello message
- ) {
-
- //Hello message is the first message we write to server
- assert(helloMsg.isEmpty());
-
- auto ssl = fd_table[fd_].ssl.get();
- if (ssl) {
- if (bumpMode_ == Ssl::bumpPeek) {
- if (adjustSSL(ssl, clientTlsDetails, clientHelloMessage))
- allowBump = true;
- allowSplice = true;
- helloMsg.append(clientHelloMessage);
- debugs(83, 7, "SSL HELLO message for FD " << fd_ << ": Random number is adjusted for peek mode");
- } else { /*Ssl::bumpStare*/
+ // buf contains OpenSSL-generated ClientHello. We assume it has a
+ // complete ClientHello and nothing else, but cannot fully verify
+ // that quickly. We only verify that buf starts with a v3+ record
+ // containing ClientHello.
+ Must(size >= 2); // enough for version and content_type checks below
+ Must(buf[1] >= 3); // record's version.major; determines buf[0] meaning
+ Must(buf[0] == 22); // TLSPlaintext.content_type == handshake in v3+
+
+ //Hello message is the first message we write to server
+ assert(helloMsg.isEmpty());
+
+ if (auto ssl = fd_table[fd_].ssl.get()) {
+ if (bumpMode_ == Ssl::bumpPeek) {
+ // we should not be here if we failed to parse the client-sent ClientHello
+ Must(!clientSentHello.isEmpty());
+ if (adjustSSL(ssl, clientTlsDetails, clientSentHello))
allowBump = true;
- if (adjustSSL(ssl, clientTlsDetails, clientHelloMessage)) {
- allowSplice = true;
- helloMsg.append(clientHelloMessage);
- debugs(83, 7, "SSL HELLO message for FD " << fd_ << ": Random number is adjusted for stare mode");
- }
+ allowSplice = true;
+ // Replace OpenSSL-generated ClientHello with client-sent one.
+ helloMsg.append(clientSentHello);
+ debugs(83, 7, "FD " << fd_ << ": Using client-sent ClientHello for peek mode");
+ } else { /*Ssl::bumpStare*/
+ allowBump = true;
+ if (!clientSentHello.isEmpty() && adjustSSL(ssl, clientTlsDetails, clientSentHello)) {
+ allowSplice = true;
+ helloMsg.append(clientSentHello);
+ debugs(83, 7, "FD " << fd_ << ": Using client-sent ClientHello for stare mode");
}
}
}
- // If we do not build any hello message, copy the current
+ // if we did not use the client-sent ClientHello, then use the OpenSSL-generated one
if (helloMsg.isEmpty())
helloMsg.append(buf, size);
projects / thirdparty / squid.git / commitdiff
