From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Thu, 27 Sep 2012 14:27:44 +0000 (+0300)
Subject: Fix ssl cert validator response codes
X-Git-Tag: SQUID_3_4_0_1~458^2~8^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dd7167ea34de06344337b5044d65566b9b4806a7;p=thirdparty%2Fsquid.git

Fix ssl cert validator response codes

Cert validator should return:
 - "OK" in case none certificate error found
 - "ERR" in case one or more SSL certificate errors found
 - "BH" in case of internal helper error
---

diff --git a/helpers/ssl/cert_valid.pl b/helpers/ssl/cert_valid.pl
index 00ba684e92..78fa31d774 100644
--- a/helpers/ssl/cert_valid.pl
+++ b/helpers/ssl/cert_valid.pl
@@ -26,6 +26,7 @@ while (<>) {
     }
 
     my $response;
+    my $haserror = 0;
     my $code = $line_args[0];
     my $bodylen = $line_args[1];
     my $body = $line_args[2] . "\n";
@@ -62,6 +63,7 @@ while (<>) {
 
         # Echo back the errors: fill the responseErrors array  with the errors we read.
         foreach $err (@errors) {
+            $haserror = 1;
             appendError (\@responseErrors, 
                          $err, #The error name
                          "Checked by Cert Validator", # An error reason
@@ -71,9 +73,13 @@ while (<>) {
 
         $response = createResponse(\@responseErrors);
         my $len = length($response);
-        $response = "OK ".$len." ".$response."\1";
+        if ($haserror) {
+            $response = "ERR ".$len." ".$response."\1";
+        } else {
+            $response = "OK ".$len." ".$response."\1";
+        }
     } else {
-        $response = "ERROR 0 \1";
+        $response = "BH 0 \1";
     }
 
     print $response;
diff --git a/src/forward.cc b/src/forward.cc
index 8731dc7f9c..c5d7d7f619 100644
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -838,16 +838,19 @@ FwdState::sslCrtvdHandleReply(const char *reply)
             debugs(83, 5, HERE << "Reply from ssl_crtvd for " << request->GetHost() << " is incorrect");
             validatorFailed = true;
         } else {
-            if (replyMsg.getCode() != "OK") {
-                debugs(83, 5, HERE << "Certificate for " << request->GetHost() << " cannot be validated. ssl_crtvd response: " << replyMsg.getBody());
-                validatorFailed = true;
-            } else {
+            if (replyMsg.getCode() == "OK") {
                 debugs(83, 5, HERE << "Certificate for " << request->GetHost() << " was successfully validated from ssl_crtvd");
+            } else if (replyMsg.getCode() == "ERR") {
+                debugs(83, 5, HERE << "Certificate for " << request->GetHost() << " found buggy by ssl_crtvd");
                 errs = sslCrtvdCheckForErrors(validationResponse, errDetails);
-                if (!errDetails) {
-                    dispatch();
-                    return;
-                }
+            } else {
+                debugs(83, 5, HERE << "Certificate for " << request->GetHost() << " cannot be validated. ssl_crtvd response: " << replyMsg.getBody());
+                validatorFailed = true;
+            }
+
+            if (!errDetails && !validatorFailed) {
+                dispatch();
+                return;
             }
         }
     }