From: Christos Tsantilas Date: Fri, 26 Sep 2014 09:32:48 +0000 (+0300) Subject: Send selected SSL version and cipher to the certificate validation helper. X-Git-Tag: SQUID_3_5_0_1~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6e3258821a0783169a5a8ff3aec784d01bcbae1d;p=thirdparty%2Fsquid.git Send selected SSL version and cipher to the certificate validation helper. This patch sends the selected cipher suite and the selected SSL/TLS version to the certificate verification helper using the "proto_version=v" and "cipher=c" key=value pairs. This is a Measurement Factory project --- diff --git a/helpers/ssl/cert_valid.pl b/helpers/ssl/cert_valid.pl index b1177b654e..ebc3bb3c3f 100755 --- a/helpers/ssl/cert_valid.pl +++ b/helpers/ssl/cert_valid.pl @@ -99,9 +99,13 @@ while (<>) { print(STDERR logPrefix()."GOT ". "Code=".$code." $bodylen \n") if ($debug); #.$body; my $hostname; - parseRequest($body, \$hostname, \%errors, \%certs); + my $sslVersion = "-"; + my $sslCipher = "-"; + parseRequest($body, \$hostname, \$sslVersion, \$sslCipher, \%errors, \%certs); print(STDERR logPrefix()."Parse result: \n") if ($debug); print(STDERR logPrefix()."\tFOUND host:".$hostname."\n") if ($debug); + print(STDERR logPrefix()."\tFOUND ssl version:".$sslVersion."\n") if ($debug); + print(STDERR logPrefix()."\tFOUND ssl cipher:".$sslCipher."\n") if ($debug); print(STDERR logPrefix()."\tFOUND ERRORS:") if ($debug); foreach my $err (keys %errors) { print(STDERR logPrefix().$errors{$err}{"name"}."/".$errors{$err}{"cert"}." ,") if ($debug); @@ -173,6 +177,8 @@ sub parseRequest { my($request)=shift; my $hostname = shift; + my $sslVersion = shift; + my $sslCipher = shift; my $errors = shift; my $certs = shift; while ($request !~ /^\s*$/) { @@ -183,6 +189,12 @@ sub parseRequest $$hostname = $host; $request =~ s/^host=.*$//m; } + if ($request =~ s/^proto_version=(.*?)$//m) { + $$sslVersion = $1; + } + if ($request =~ s/^cipher=(.*?)$//m) { + $$sslCipher = $1; + } if ($request =~ /^cert_(\d+)=/) { my $certId = "cert_".$1; my($vallen) = index($request, "-----END CERTIFICATE-----") + length("-----END CERTIFICATE-----"); diff --git a/src/ssl/cert_validate_message.cc b/src/ssl/cert_validate_message.cc index 57337c3003..f0d9f8ebdc 100644 --- a/src/ssl/cert_validate_message.cc +++ b/src/ssl/cert_validate_message.cc @@ -21,6 +21,12 @@ Ssl::CertValidationMsg::composeRequest(CertValidationRequest const &vcert) body += Ssl::CertValidationMsg::param_host + "=" + vcert.domainName; STACK_OF(X509) *peerCerts = static_cast(SSL_get_ex_data(vcert.ssl, ssl_ex_index_ssl_cert_chain)); + if (const char *sslVersion = SSL_get_version(vcert.ssl)) + body += "\n" + Ssl::CertValidationMsg::param_proto_version + "=" + sslVersion; + + if (const char *cipherName = SSL_CIPHER_get_name(SSL_get_current_cipher(vcert.ssl))) + body += "\n" + Ssl::CertValidationMsg::param_cipher + "=" + cipherName; + if (!peerCerts) peerCerts = SSL_get_peer_cert_chain(vcert.ssl); @@ -231,4 +237,5 @@ const std::string Ssl::CertValidationMsg::param_cert("cert_"); const std::string Ssl::CertValidationMsg::param_error_name("error_name_"); const std::string Ssl::CertValidationMsg::param_error_reason("error_reason_"); const std::string Ssl::CertValidationMsg::param_error_cert("error_cert_"); - +const std::string Ssl::CertValidationMsg::param_proto_version("proto_version"); +const std::string Ssl::CertValidationMsg::param_cipher("cipher"); diff --git a/src/ssl/cert_validate_message.h b/src/ssl/cert_validate_message.h index a77aa827ef..7578415ba0 100644 --- a/src/ssl/cert_validate_message.h +++ b/src/ssl/cert_validate_message.h @@ -113,6 +113,10 @@ public: static const std::string param_error_reason; /// Parameter name for passing the error cert ID static const std::string param_error_cert; + /// Parameter name for SSL version + static const std::string param_proto_version; + /// Parameter name for SSL cipher + static const std::string param_cipher; }; }//namespace Ssl