From: Amos Jeffries Date: Thu, 27 Dec 2018 06:42:31 +0000 (+1300) Subject: Update PeekingPeerConnector to use PeerOptions API X-Git-Tag: SQUID_5_0_1~90 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b491f7618569893a62a60bfd0448a974e3eea325;p=thirdparty%2Fsquid.git Update PeekingPeerConnector to use PeerOptions API .. for SSL_set_options() call. Allowing parsedOptions to be private within PeerOptions which is needed to safely delay its value being set until after squid.conf line is fully parsed. --- diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index 627e5c43ee..a2ec2a4694 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -598,7 +598,7 @@ Security::PeerOptions::updateContextOptions(Security::ContextPointer &ctx) const #if USE_OPENSSL SSL_CTX_set_options(ctx.get(), parsedOptions); #elif USE_GNUTLS - // NP: GnuTLS uses 'priorities' which are set per-session instead. + // NP: GnuTLS uses 'priorities' which are set only per-session instead. #endif } @@ -726,7 +726,9 @@ void Security::PeerOptions::updateSessionOptions(Security::SessionPointer &s) { #if USE_OPENSSL - // 'options=' value being set to session is a GnuTLS specific thing. + // XXX: Options already set before (via the context) are not cleared! + SSL_set_options(s.get(), parsedOptions); + #elif USE_GNUTLS int x; SBuf errMsg; diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h index 43da1afec1..349081c121 100644 --- a/src/security/PeerOptions.h +++ b/src/security/PeerOptions.h @@ -82,7 +82,9 @@ public: SBuf tlsMinVersion; ///< version label for minimum TLS version to permit +private: Security::ParsedOptions parsedOptions; ///< parsed value of sslOptions +public: long parsedFlags = 0; ///< parsed value of sslFlags std::list certs; ///< details from the cert= and file= config parameters diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc index 8531398e53..1a6f996c3d 100644 --- a/src/ssl/PeekingPeerConnector.cc +++ b/src/ssl/PeekingPeerConnector.cc @@ -185,7 +185,7 @@ Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession) srvBio->mode(csd->sslBumpMode); } else { // Set client SSL options - SSL_set_options(serverSession.get(), ::Security::ProxyOutgoingConfig.parsedOptions); + ::Security::ProxyOutgoingConfig.updateSessionOptions(serverSession); const bool redirected = request->flags.redirected && ::Config.onoff.redir_rewrites_host; const char *sniServer = (!hostName || redirected) ?