Bug #931: Cleanup of SSL messages on startup/reconfigure

The attached patch restructures the SSL initialization in such manner
that the SSL contexts are set up after the whole configuration has been read,
allowing the cache.log to be opened before.

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 6bbdc1d1fdaa23c6e2dbad498816d7bde3401b6d..895bef69062c6f2c6e25545f54c5701e13bf4fea 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: cache_cf.cc,v 1.456 2004/11/06 22:20:47 hno Exp $
+ * $Id: cache_cf.cc,v 1.457 2004/12/08 00:06:03 hno Exp $
  *
  * DEBUG: section 3     Configuration File Parsing
  * AUTHOR: Harvest Derived
@@ -395,6 +395,13 @@ parseConfigFile(const char *file_name)
     }
 
     defaults_if_none();
+
+    if (!Config.chroot_dir) {
+        leave_suid();
+        _db_init(Config.Log.log, Config.debugOptions);
+        enter_suid();
+    }
+
     configDoConfigure();
     cachemgrRegister("config",
                      "Current Squid Configuration",
@@ -653,7 +660,32 @@ configDoConfigure(void)
     urlExtMethodConfigure();
 #if USE_SSL
 
+    debug(3, 1) ("Initializing https proxy context\n");
+
     Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath);
+
+    {
+
+        peer *p;
+
+        for (p = Config.peers; p != NULL; p = p->next) {
+            if (p->use_ssl) {
+                debug(3, 1) ("Initializing cache_peer %s SSL context\n", p->name);
+                p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath);
+            }
+        }
+    }
+
+    {
+
+        https_port_list *s;
+
+        for (s = Config.Sockaddr.https; s != NULL; s = s->next) {
+            debug(3, 1) ("Initializing https_port %s:%d SSL context\n", inet_ntoa(s->s.sin_addr), ntohs(s->s.sin_port));
+            s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->dhfile);
+        }
+    }
+
 #endif
 }
 
@@ -1710,12 +1742,6 @@ parse_peer(peer ** head)
         p->digest = cbdataReference(pd);
     }
 
-#endif
-#if USE_SSL
-    if (p->use_ssl) {
-        p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath);
-    }
-
 #endif
     while (*head != NULL)
         head = &(*head)->next;
@@ -2725,6 +2751,7 @@ free_generic_http_port_data(http_port_list * s)
 {
     safe_free(s->name);
     safe_free(s->defaultsite);
+    safe_free(s->protocol);
 }
 
 static void
@@ -2834,6 +2861,12 @@ cbdataFree_https_port(void *data)
     free_generic_http_port_data(&s->http);
     safe_free(s->cert);
     safe_free(s->key);
+    safe_free(s->options);
+    safe_free(s->cipher);
+    safe_free(s->cafile);
+    safe_free(s->capath);
+    safe_free(s->dhfile);
+    safe_free(s->sslflags);
 }
 
 static void
@@ -2890,11 +2923,6 @@ parse_https_port_list(https_port_list ** head)
         }
     }
 
-    s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->dhfile);
-
-    if (!s->sslContext)
-        self_destruct();
-
     while (*head)
         head = (https_port_list **)&(*head)->http.next;
 

diff --git a/src/client_side.cc b/src/client_side.cc
index 4d60b8dbb003fe70423ecd11c5804a8f58097c82..8528c0e9832c0809a6efbf5d934a2f703cf40f82 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side.cc,v 1.674 2004/11/16 23:11:46 wessels Exp $
+ * $Id: client_side.cc,v 1.675 2004/12/08 00:06:04 hno Exp $
  *
  * DEBUG: section 33    Client-side Routines
  * AUTHOR: Duane Wessels
@@ -3052,6 +3052,11 @@ clientHttpsConnectionsOpen(void)
             continue;
         }
 
+        if (s->sslContext == NULL) {
+            debug(1, 1) ("Can not accept HTTPS connections at %s, port %d\n",
+                         inet_ntoa(s->http.s.sin_addr), (int) ntohs(s->http.s.sin_port));
+        }
+
         enter_suid();
         fd = comm_open(SOCK_STREAM,
                        IPPROTO_TCP,

diff --git a/src/ssl_support.cc b/src/ssl_support.cc
index ddf7a6e782a1917c6675561f2f3430cfd2b0f778..833c471b480a180d4540508c063ba217c076894e 100644 (file)
--- a/src/ssl_support.cc
+++ b/src/ssl_support.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: ssl_support.cc,v 1.17 2004/11/06 22:03:57 hno Exp $
+ * $Id: ssl_support.cc,v 1.18 2004/12/08 00:06:04 hno Exp $
  *
  * AUTHOR: Benno Rice
  * DEBUG: section 83    SSL accelerator support
@@ -465,8 +465,6 @@ sslCreateServerContext(const char *certfile, const char *keyfile, int version, c
     if (!CAfile)
         CAfile = clientCA;
 
-    debug(83, 1) ("Initialising SSL.\n");
-
     switch (version) {
 
     case 2:
@@ -627,8 +625,6 @@ sslCreateClientContext(const char *certfile, const char *keyfile, int version, c
     if (!certfile)
         certfile = keyfile;
 
-    debug(83, 1) ("Initialising SSL.\n");
-
     switch (version) {
 
     case 2: