]> git.ipfire.org Git - thirdparty/squid.git/commitdiff
projects / thirdparty / squid.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bb64d87)
Fixed handling of invalid SSL server certificates when splicing connections.
authorChristos Tsantilas <chtsanti@users.sourceforge.net>
Tue, 30 Dec 2014 15:33:40 +0000 (17:33 +0200)
committerChristos Tsantilas <chtsanti@users.sourceforge.net>
Tue, 30 Dec 2014 15:33:40 +0000 (17:33 +0200)
An unpatched Squid in peek-and-splice mode may splice connections after
receiving a malformed or unsupported SSL server Hello message. This may
happen even if sslproxy_cert_error tells Squid to honor the error. After
this change, Squid honors sslproxy_cert_error setting when:

* no server certificate was found and checked using Squid validation procedure
  (e.g., because the SSL server Hello response was malformed or unsupported); or
* Squid server certificate validation procedure has failed.

If the certificate error is not allowed, Squid terminates the server connection
and attempts to bump the client connection to deliver the error message to the
user.

This is a Measurement Factory project

src/ssl/PeerConnector.cc patch | blob | blame | history

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 095fe317c046850e0621fbf30cc8b639503aed9f..1308b0bd065842f19241c494b39271addaf000d1 100644 (file)
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -541,8 +541,14 @@ Ssl::PeerConnector::handleNegotiateError(const int ret)
         // In this case the connection can be saved.
         // If the checklist decision is do not splice a new error will
         // occure in the next SSL_connect call, and we will fail again.
+        // Abort on certificate validation errors to avoid splicing and
+        // thus hiding them.
+        // Abort if no certificate found probably because of malformed or
+        // unsupported server Hello message (TODO: make configurable).
 #if 1
-        if ((request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek  || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) {
+        if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) &&
+            SSL_get_peer_certificate(ssl) &&
+            (request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek  || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) {
             debugs(81, 3, "Error ("  << ERR_error_string(ssl_lib_error, NULL) <<  ") but, hold write on SSL connection on FD " << fd);
             checkForPeekAndSplice();
             return;
Mirror of https://github.com/squid-cache/squid.git