Do not lookup IP addresses of X509 certificate subject CNs (#1967)

A true-vs-false `nodns` parameter value bug in a recent commit 22b2a7a0
caused, in some environments, significant startup delays and/or runtime
stalls because getaddrinfo(3) performed blocking DNS lookups when
parsing common names of X509 certificate subjects. Squid parses CNs when
loading configured and validating received certificates. Other side
effects may have included Squid-generated certificates having wrong
alternative subject names and/or wrong certificate validation results.

Negative names and context-disassociated boolean constants strike again!
Fortunately, associated problematic Ip::Address::lookupHostIP() will be
replaced when the existing Ip::Address::Parse() TODO is addressed.

diff --git a/src/ip/Address.cc b/src/ip/Address.cc
index 37570298e0f991b1e53260133a805e51c7dff6aa..298db47a4d00c1b3b31107c46c19e679c111915b 100644 (file)
--- a/src/ip/Address.cc
+++ b/src/ip/Address.cc
@@ -45,7 +45,7 @@ Ip::Address::Parse(const char * const raw)
 {
     Address tmp;
     // TODO: Merge with lookupHostIP() after removing DNS lookups from Ip.
-    if (tmp.lookupHostIP(raw, false))
+    if (tmp.lookupHostIP(raw, true))
         return tmp;
     return std::nullopt;
 }