From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Mon, 30 Nov 2015 10:53:23 +0000 (+0200)
Subject: Restrict SslBump inspections of cache_peer connections.
X-Git-Tag: SQUID_4_0_4~60
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e249337704128a1b54d1eb5d3560d120b04c600;p=thirdparty%2Fsquid.git

Restrict SslBump inspections of cache_peer connections.

This change is specific to FwdState code path. It does not affect tunneled
traffic. Thus, it does not affect CONNECT tunnels unless they are being
inspected with SslBump code.

The old code always used PeekingPeerConnector when connecting to a TLS-related
cache_peer. That approach worked because PeekingPeerConnector does not always
inspect the SSL/TLS connection it establishes. We were kind of lucky that
PeekingPeerConnector exceptions matched FwdState needs.

The primary PeekingPeerConnector goal is to inspect. As its code evolves, it may
enable inspection when FwdState does not want it. Non-peeking cases inside
PeekingPeerConnector should all deal with exceptional situations that
are difficult to predict a priori, before the connector object is created.

This change restricts inspection to cases where an inspected SSL client
connection is being forwarded, reducing the probability that a peer
connection is wrongly inspected. This change does not fix any known bugs.

This is a Measurement Factory project.
---

diff --git a/src/FwdState.cc b/src/FwdState.cc
index ed831050a3..786a8cd2ff 100644
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -705,8 +705,11 @@ FwdState::connectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, in
                                                     FwdStatePeerAnswerDialer(&FwdState::connectedToPeer, this));
             // Use positive timeout when less than one second is left.
             const time_t sslNegotiationTimeout = max(static_cast<time_t>(1), timeLeft());
-            Ssl::PeekingPeerConnector *connector =
-                new Ssl::PeekingPeerConnector(requestPointer, serverConnection(), clientConn, callback, sslNegotiationTimeout);
+            Ssl::PeerConnector *connector = NULL;
+            if (request->flags.sslPeek)
+                connector = new Ssl::PeekingPeerConnector(requestPointer, serverConnection(), clientConn, callback, sslNegotiationTimeout);
+            else
+                connector = new Ssl::BlindPeerConnector(requestPointer, serverConnection(), callback, sslNegotiationTimeout);
             AsyncJob::Start(connector); // will call our callback
             return;
         }