From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Tue, 30 Dec 2014 15:33:40 +0000 (+0200)
Subject: Fixed handling of invalid SSL server certificates when splicing connections.
X-Git-Tag: merge-candidate-3-v1~401
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=de97c33d5586e4516535e74ed0c55bd8d8c7b986;p=thirdparty%2Fsquid.git

Fixed handling of invalid SSL server certificates when splicing connections.

An unpatched Squid in peek-and-splice mode may splice connections after
receiving a malformed or unsupported SSL server Hello message. This may
happen even if sslproxy_cert_error tells Squid to honor the error. After
this change, Squid honors sslproxy_cert_error setting when:

* no server certificate was found and checked using Squid validation procedure
  (e.g., because the SSL server Hello response was malformed or unsupported); or
* Squid server certificate validation procedure has failed.

If the certificate error is not allowed, Squid terminates the server connection
and attempts to bump the client connection to deliver the error message to the
user.

This is a Measurement Factory project
---

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 095fe317c0..1308b0bd06 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -541,8 +541,14 @@ Ssl::PeerConnector::handleNegotiateError(const int ret)
         // In this case the connection can be saved.
         // If the checklist decision is do not splice a new error will
         // occure in the next SSL_connect call, and we will fail again.
+        // Abort on certificate validation errors to avoid splicing and
+        // thus hiding them.
+        // Abort if no certificate found probably because of malformed or
+        // unsupported server Hello message (TODO: make configurable).
 #if 1
-        if ((request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek  || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) {
+        if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) &&
+            SSL_get_peer_certificate(ssl) &&
+            (request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek  || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) {
             debugs(81, 3, "Error ("  << ERR_error_string(ssl_lib_error, NULL) <<  ") but, hold write on SSL connection on FD " << fd);
             checkForPeekAndSplice();
             return;