TLS: fix various bugs in HTTPS proxying context creation

cache_peer with "ssl" option and DIRECT HTTPS outgoing traffic was
not having TLS context initialized at all. Resulting in TLS outgoing
being disabled unless explicit extra options were used.

With this patch:

The default squid.conf sets "tls_outgoing_options min-version=1.0".
Which auto-enables DIRECT outgoing, the new explicit "disable" option
is required to turn off.

http_port ... protocol=HTTPS and https_port forces
"encryptTransport=true;" explicitly based on the expected protocol. So
it is either enabled by the parse() call when TLS options are used, or
forced on anyway later when the protocol is validated.

icaps:// services also explicitly set "encryptTransport=true;"
explicitly based on 's' in the service URI scheme.

The cache_peer requires a minimum of "ssl" option to be configured. Any
use of TLS/SSL options other than "disable" will enable TLS to the peer.

In summary TLS should be:

* default-on for all https_port, icaps:// services, and outgoing
https:// traffic.

* manually enabled on cache_peer and http_port.

* manually disabled on outgoing https:// traffic.

diff --git a/src/adaptation/ServiceConfig.cc b/src/adaptation/ServiceConfig.cc
index f1dfbcd4a0fffd91b621f590851477254390a429..79b70ee4a0b8a80c35bcc26e79e2553f78ceff01 100644 (file)
--- a/src/adaptation/ServiceConfig.cc
+++ b/src/adaptation/ServiceConfig.cc
@@ -136,7 +136,6 @@ Adaptation::ServiceConfig::parse()
             tmp += "=";
             tmp += value;
             secure.parse(tmp.c_str());
-            secure.encryptTransport = true;
             grokked = true;
 #endif
         } else

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index f45d8078fa5973cbb5bb8a913a803f9f646e61c6..6f2a87e11a3603900baa8bb178205dfe5a47a1c5 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2193,11 +2193,9 @@ parse_peer(CachePeer ** head)
 #if !USE_OPENSSL
             debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl");
 #else
-            p->secure.encryptTransport = true;
             p->secure.parse(token+3);
 #endif
         } else if (strncmp(token, "tls-", 4) == 0) {
-            p->secure.encryptTransport = true;
             p->secure.parse(token+4);
         } else if (strcmp(token, "front-end-https") == 0) {
             p->front_end_https = 1;

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 26b8e74d049e0c1c4b3df81ea9b07f07eeb4ced8..c39ef2115184420f8d1a15dd53f2bfc4040eeb18 100644 (file)
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -42,9 +42,18 @@ Security::PeerOptions::PeerOptions(const Security::PeerOptions &p) :
 void
 Security::PeerOptions::parse(const char *token)
 {
+    if (!*token) {
+        // config says just "ssl" or "tls" (or "tls-")
+        encryptTransport = true;
+        return;
+    }
+
     if (strncmp(token, "disable", 7) == 0) {
         clear();
-    } else if (strncmp(token, "cert=", 5) == 0) {
+        return;
+    }
+
+    if (strncmp(token, "cert=", 5) == 0) {
         certFile = SBuf(token + 5);
         if (privateKeyFile.isEmpty())
             privateKeyFile = certFile;
@@ -80,7 +89,10 @@ Security::PeerOptions::parse(const char *token)
         sslDomain = SBuf(token + 7);
     } else {
         debugs(3, DBG_CRITICAL, "ERROR: Unknown TLS option '" << token << "'");
+        return;
     }
+
+    encryptTransport = true;
 }
 
 void