From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 18 May 2015 12:50:03 +0000 (-0700)
Subject: Prevent unused ssl_crtd helpers being run
X-Git-Tag: merge-candidate-3-v1~114
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f0763147d6075db1abd2384fcb7494dc69887b09;p=thirdparty%2Fsquid.git

Prevent unused ssl_crtd helpers being run

The conditions for when to start ssl_crtd helpers was ignoring the
generate-host-certificates=off option. Meaning most ssl-bump installs
were running them needlessly.
---

diff --git a/src/ssl/helper.cc b/src/ssl/helper.cc
index 511643239f..1331f70b56 100644
--- a/src/ssl/helper.cc
+++ b/src/ssl/helper.cc
@@ -41,12 +41,13 @@ void Ssl::Helper::Init()
 {
     assert(ssl_crtd == NULL);
 
-    // we need to start ssl_crtd only if some port(s) need to bump SSL
+    // we need to start ssl_crtd only if some port(s) need to bump SSL *and* generate certificates
+    // TODO: generate host certificates for SNI enabled accel ports
     bool found = false;
     for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
-        found = s->flags.tunnelSslBumping;
+        found = s->flags.tunnelSslBumping && s->generateHostCertificates;
     for (AnyP::PortCfgPointer s = HttpsPortList; !found && s != NULL; s = s->next)
-        found = s->flags.tunnelSslBumping;
+        found = s->flags.tunnelSslBumping && s->generateHostCertificates;
     if (!found)
         return;