From: rousskov <> Date: Tue, 12 Feb 2008 05:28:47 +0000 (+0000) Subject: Importing SslBump feature from Squid3 ssl-bump branch: X-Git-Tag: BASIC_TPROXY4~123 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c9da9630c739e275fc832a5a3f73fd6facfe8fb;p=thirdparty%2Fsquid.git Importing SslBump feature from Squid3 ssl-bump branch: SslBump needs access to SSL-related options when responding to CONNECT requests. We could add a new squid.conf option to accept those options, but I decided to add SSL-related options to http_port, where CONNECT requests will arrive. This design avoids the necessity to map SSL options to an HTTP port or to a CONNECT request when a global default would not do. Adding SSL options to http_port makes http_port_list and https_port_list almost identical. I moved stuff around to reduce duplication between the two classes, moving related code to ProtoPort.{cc,h} in the process. More work is needed to remove the distinction completely or, at least, remove the https_port::http hack. Added sslproxy_cert_error ACL to be able to bypass some certificate validation errors. The default is to bypass nothing. Only a few SSL certificate validation errors are currently recognized by name, including the newly defined SQUID_X509_V_ERR_DOMAIN_MISMATCH error which is raised when Squid certificate domain validation fails. Added support for ssl_error ACL (ACLSslError*). --- diff --git a/src/cf.data.pre b/src/cf.data.pre index 00935d0e65..f4b6c78471 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.500 2008/02/08 11:20:27 hno Exp $ +# $Id: cf.data.pre,v 1.501 2008/02/11 22:28:47 rousskov Exp $ # # SQUID Web Proxy Cache http://www.squid-cache.org/ # ---------------------------------------------------------- @@ -941,6 +941,22 @@ DOC_START sporadically hang or never complete requests set disable-pmtu-discovery option to 'transparent'. + sslBump Intercept each CONNECT request matching ssl_bump ACL, + establish secure connection with the client and with + the server, decrypt HTTP messages as they pass through + Squid, and treat them as unencrypted HTTP messages, + becoming the man-in-the-middle. + + When this option is enabled, additional options become + available to specify SSL-related properties of the + client-side connection: cert, key, version, cipher, + options, clientca, cafile, capath, crlfile, dhparams, + sslflags, and sslcontext. See the https_port directive + for more information on these options. + + The ssl_bump option is required to fully enable + the SslBump feature. + name= Specifies a internal name for the port. Defaults to the port specification (port or addr:port) @@ -1257,6 +1273,34 @@ DOC_START server certificates while proxying https:// URLs DOC_END +NAME: ssl_bump +IFDEF: USE_SSL +TYPE: acl_access +LOC: Config.accessList.ssl_bump +DEFAULT: none +DOC_START + This ACL controls which CONNECT requests to an http_port + marked with an sslBump flag are actually "bumped". Please + see the sslBump flag of an http_port option for more details + about decoding proxied SSL connections. + + By default, no requests are bumped. + + See also: http_port sslBump + +NOCOMMENT_START +# Example: Bump all requests except those originating from localhost and +# those going to webax.com or example.com sites. +# +# acl localhost src 127.0.0.1/32 +# acl broken_sites dstdomain .webax.com +# acl broken_sites dstdomain .example.com +# ssl_bump deny localhost +# ssl_bump deny broken_sites +# ssl_bump allow all +NOCOMMENT_END +DOC_END + NAME: sslproxy_flags IFDEF: USE_SSL DEFAULT: none @@ -1264,12 +1308,48 @@ LOC: Config.ssl_client.flags TYPE: string DOC_START Various flags modifying the use of SSL while proxying https:// URLs: - DONT_VERIFY_PEER Accept certificates even if they fail to - verify. + DONT_VERIFY_PEER Accept certificates that fail verification. + For refined control, see sslproxy_cert_error. NO_DEFAULT_CA Don't use the default CA list built in to OpenSSL. DOC_END + +NAME: sslproxy_cert_error +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.cert_error +TYPE: acl_access +DOC_START + Use this ACL to bypass server certificate validation errors. + + For example, the following lines will bypass all validation errors + when talking to servers located at 172.16.0.0/16. All other + validation errors will result in ERR_SECURE_CONNECT_FAIL error. + + acl BrokenServersAtTrustedIP dst 172.16.0.0/16 + sslproxy_cert_error allow BrokenServersAtTrustedIP + sslproxy_cert_error deny all + + This option must use fast ACL expressions only. Expressions that use + external lookups or communication result in unpredictable behavior or + crashes. + + Without this option, all server certificate validation errors + terminate the transaction. Bypassing validation errors is dangerous + because an error usually implies that the server cannot be trusted and + the connection may be insecure. + + See also: sslproxy_flags and DONT_VERIFY_PEER. + +NOCOMMENT_START +#Default setting: +# sslproxy_cert_error deny all +NOCOMMENT_END +DOC_END + + + NAME: sslpassword_program IFDEF: USE_SSL DEFAULT: none diff --git a/src/structs.h b/src/structs.h index 6408727000..b4ad30392f 100644 --- a/src/structs.h +++ b/src/structs.h @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.574 2008/02/08 01:56:33 hno Exp $ + * $Id: structs.h,v 1.575 2008/02/11 22:28:47 rousskov Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -36,6 +36,7 @@ #include "config.h" #include "RefCount.h" +#include "cbdata.h" /* needed for various structures still in structs.h */ #include "dlink.h" @@ -123,61 +124,6 @@ struct _relist relist *next; }; -struct _http_port_list -{ - http_port_list *next; - - IPAddress s; - char *protocol; /* protocol name */ - char *name; /* visible name */ - char *defaultsite; /* default web site */ - -unsigned int transparent: - 1; /* transparent proxy */ - -unsigned int accel: - 1; /* HTTP accelerator */ - -unsigned int vhost: - 1; /* uses host header */ - - int vport; /* virtual port support, -1 for dynamic, >0 static*/ - int disable_pmtu_discovery; -#if LINUX_TPROXY -unsigned int tproxy: - 1; /* spoof client ip using tproxy */ -#endif - struct { - unsigned int enabled; - unsigned int idle; - unsigned int interval; - unsigned int timeout; - } tcp_keepalive; -}; - - -#if USE_SSL - -struct _https_port_list -{ - http_port_list http; /* must be first */ - char *cert; - char *key; - int version; - char *cipher; - char *options; - char *clientca; - char *cafile; - char *capath; - char *crlfile; - char *dhfile; - char *sslflags; - char *sslcontext; - SSL_CTX *sslContext; -}; - -#endif - #if DELAY_POOLS #include "DelayConfig.h" #endif @@ -591,6 +537,10 @@ struct _SquidConfig acl_access *htcp; acl_access *htcp_clr; #endif + +#if USE_SSL + acl_access *ssl_bump; +#endif } @@ -734,6 +684,7 @@ struct _SquidConfig char *capath; char *crlfile; char *flags; + acl_access *cert_error; SSL_CTX *sslContext; } diff --git a/src/typedefs.h b/src/typedefs.h index eda169f829..c60c56c1cc 100644 --- a/src/typedefs.h +++ b/src/typedefs.h @@ -1,6 +1,6 @@ /* - * $Id: typedefs.h,v 1.192 2008/01/07 17:12:28 hno Exp $ + * $Id: typedefs.h,v 1.193 2008/02/11 22:28:47 rousskov Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -84,9 +84,8 @@ typedef struct _ushortlist ushortlist; typedef struct _relist relist; -typedef struct _http_port_list http_port_list; - -typedef struct _https_port_list https_port_list; +struct http_port_list; +struct https_port_list; typedef struct _SquidConfig SquidConfig;