Peek and Splice: %ssl::<cert_subject and %ssl::<cert_issuer formating codes to e

xternal_acl

This patch investigates the %ssl::<cert_subject and %ssl::<cert_issuer
formating codes to external_acl helpers.
 * The %ssl::<cert_subject formating code prints the server certificate DN
 * The %ssl::<cert_issuer formating code prints the server certificate issuer DN

Both formating codes are available after the ssl bumped connection is
established.
When Peek and Splice mode is selected these formating codes are available on
peek or stare mode, after the step2 is comleted and server certificate is
received.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 1f0762f5c1754cb8bfa87fa164a2e74e10d72eac..b5c9a8fd18edd997235036012530cd39b6344784 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -741,6 +741,8 @@ DOC_START
          %USER_CERT_xx SSL User certificate subject attribute xx
          %USER_CA_xx   SSL User certificate issuer attribute xx
          %ssl::>sni    SSL client SNI sent to Squid
+         %ssl::<cert_subject SSL server certificate DN
+         %ssl::<cert_issuer SSL server certificate issuer DN
 
          %>{Header}    HTTP request header "Header"
          %>{Hdr:member}

diff --git a/src/external_acl.cc b/src/external_acl.cc
index 036a3c83f14730d0daed9d2c813600689f2a8aa0..ba9296c5f4c873e441b4442d10d75eb05f530b4a 100644 (file)
--- a/src/external_acl.cc
+++ b/src/external_acl.cc
@@ -426,6 +426,10 @@ parse_externalAclHelper(external_acl ** list)
             format->header = xstrdup(token + 11);
         } else if (strcmp(token, "%ssl::>sni") == 0)
             format->type = Format::LFT_SSL_CLIENT_SNI;
+        else if (strcmp(token, "%ssl::<cert_subject") == 0)
+            format->type = Format::LFT_SSL_SERVER_CERT_SUBJECT;
+        else if (strcmp(token, "%ssl::<cert_issuer") == 0)
+            format->type = Format::LFT_SSL_SERVER_CERT_ISSUER;
 #endif
 #if USE_AUTH
         else if (strcmp(token, "%EXT_USER") == 0 || strcmp(token, "%ue") == 0)
@@ -562,6 +566,8 @@ dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl
                 DUMP_EXT_ACL_TYPE_FMT(EXT_ACL_USER_CERT, " %%USER_CERT_%s", format->header);
                 DUMP_EXT_ACL_TYPE_FMT(EXT_ACL_USER_CA_CERT, " %%USER_CA_CERT_%s", format->header);
                 DUMP_EXT_ACL_TYPE_FMT(SSL_CLIENT_SNI, "ssl::>sni");
+                DUMP_EXT_ACL_TYPE_FMT(SSL_SERVER_CERT_SUBJECT, "%%ssl::<cert_subject");
+                DUMP_EXT_ACL_TYPE_FMT(SSL_SERVER_CERT_ISSUER, "%%ssl::<cert_issuer");
 #endif
 #if USE_AUTH
                 DUMP_EXT_ACL_TYPE_FMT(USER_EXTERNAL," %%ue");
@@ -1090,6 +1096,24 @@ makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data)
                 }
             }
             break;
+
+        case Format::LFT_SSL_SERVER_CERT_SUBJECT:
+        case Format::LFT_SSL_SERVER_CERT_ISSUER: {
+            X509 *serverCert = NULL;
+            if (ch->serverCert.get())
+                serverCert = ch->serverCert.get();
+            else if (ch->conn()->serverBump())
+                serverCert = ch->conn()->serverBump()->serverCert.get();
+
+            if (serverCert) {
+                if (format->type == Format::LFT_SSL_SERVER_CERT_SUBJECT)
+                    str = Ssl::GetX509UserAttribute(serverCert, "DN");
+                else
+                    str = Ssl::GetX509CAAttribute(serverCert, "DN");
+            }
+            break;
+        }
+
 #endif
 #if USE_AUTH
         case Format::LFT_USER_EXTERNAL:

diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h
index 958eb349d7a7a345be0e75ac0e3e49cab4f3ce30..024bd7f668c730e5d316ce70ef19fe67eefa8bec 100644 (file)
--- a/src/format/ByteCode.h
+++ b/src/format/ByteCode.h
@@ -207,6 +207,8 @@ typedef enum {
     LFT_SSL_USER_CERT_SUBJECT,
     LFT_SSL_USER_CERT_ISSUER,
     LFT_SSL_CLIENT_SNI,
+    LFT_SSL_SERVER_CERT_SUBJECT,
+    LFT_SSL_SERVER_CERT_ISSUER,
 #endif
 
     LFT_NOTE,

diff --git a/src/format/Format.cc b/src/format/Format.cc
index 1c72488ddccff9b74a96821e27649b47de828b5e..c6ac9766d17b67628733f5ec073ce111b3cb6f14 100644 (file)
--- a/src/format/Format.cc
+++ b/src/format/Format.cc
@@ -1143,6 +1143,11 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
                 }
             }
             break;
+
+        case LFT_SSL_SERVER_CERT_ISSUER:
+        case LFT_SSL_SERVER_CERT_SUBJECT:
+            // Not implemented
+            break;
 #endif
 
         case LFT_REQUEST_URLGROUP_OLD_2X:

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 72c3262ec217f5f50da9f9465ec6a7fdaa561b61..fb504bf43ece404c830dca69ec29db1bb4da753e 100644 (file)
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -283,10 +283,13 @@ Ssl::PeerConnector::cbCheckForPeekAndSplice(allow_t answer, void *data)
 bool
 Ssl::PeerConnector::checkForPeekAndSplice(bool checkDone, Ssl::BumpMode peekMode)
 {
+    SSL *ssl = fd_table[serverConn->fd].ssl;
     // Mark Step3 of bumping
     if (request->clientConnectionManager.valid()) {
         if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) {
             serverBump->step = Ssl::bumpStep3;
+            if (!serverBump->serverCert.get())
+                serverBump->serverCert.reset(SSL_get_peer_certificate(ssl));
         }
     }
 
@@ -297,8 +300,7 @@ Ssl::PeerConnector::checkForPeekAndSplice(bool checkDone, Ssl::BumpMode peekMode
         acl_checklist->nonBlockingCheck(Ssl::PeerConnector::cbCheckForPeekAndSplice, this);
         return false;
     }
-    
-    SSL *ssl = fd_table[serverConn->fd].ssl;
+
     BIO *b = SSL_get_rbio(ssl);
     Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
     debugs(83,5, "Will check for peek and splice on fd " << serverConn->fd);