From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Mon, 6 Jul 2020 08:04:31 +0000 (+0000)
Subject: Honor on_unsupported_protocol for intercepted https_port (#689)
X-Git-Tag: SQUID_5_0_4~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=334cf3e013392c40c47da5107b73b03706c95bc1;p=thirdparty%2Fsquid.git

Honor on_unsupported_protocol for intercepted https_port (#689)

... when Squid discovers a non-TLS client while parsing its handshake.

For https_port traffic, ConnStateData::switchToHttps() relies on start()
to set preservingClientData_ correctly, but shouldPreserveClientData(),
called by start() to set preservingClientData_, was not preserving TLS
bytes in the https_port start() context. Typical debug messages:

    parseTlsHandshake: Got something other than TLS ... Cannot SslBump
    tunnelOnError: may have forgotten client data; send error: 40
---

diff --git a/src/client_side.cc b/src/client_side.cc
index fb5342ab3e..606fda71c9 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -4068,8 +4068,8 @@ ConnStateData::shouldPreserveClientData() const
         return true;
 #endif
 
-    // the 1st HTTP request on a connection to a plain intercepting port
-    if (!pipeline.nrequests && !port->secure.encryptTransport && transparent())
+    // the 1st HTTP(S) request on a connection to an intercepting port
+    if (!pipeline.nrequests && transparent())
         return true;
 
     return false;