From: hno <>
Date: Wed, 8 Dec 2004 07:06:03 +0000 (+0000)
Subject: Bug #931: Cleanup of SSL messages on startup/reconfigure
X-Git-Tag: SQUID_3_0_PRE4~991
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9ad01060385a42cbc0b4fc26ad05af9ec13d981;p=thirdparty%2Fsquid.git

Bug #931: Cleanup of SSL messages on startup/reconfigure

The attached patch restructures the SSL initialization in such manner
that the SSL contexts are set up after the whole configuration has been read,
allowing the cache.log to be opened before.
---

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 6bbdc1d1fd..895bef6906 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: cache_cf.cc,v 1.456 2004/11/06 22:20:47 hno Exp $
+ * $Id: cache_cf.cc,v 1.457 2004/12/08 00:06:03 hno Exp $
  *
  * DEBUG: section 3     Configuration File Parsing
  * AUTHOR: Harvest Derived
@@ -395,6 +395,13 @@ parseConfigFile(const char *file_name)
     }
 
     defaults_if_none();
+
+    if (!Config.chroot_dir) {
+        leave_suid();
+        _db_init(Config.Log.log, Config.debugOptions);
+        enter_suid();
+    }
+
     configDoConfigure();
     cachemgrRegister("config",
                      "Current Squid Configuration",
@@ -653,7 +660,32 @@ configDoConfigure(void)
     urlExtMethodConfigure();
 #if USE_SSL
 
+    debug(3, 1) ("Initializing https proxy context\n");
+
     Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath);
+
+    {
+
+        peer *p;
+
+        for (p = Config.peers; p != NULL; p = p->next) {
+            if (p->use_ssl) {
+                debug(3, 1) ("Initializing cache_peer %s SSL context\n", p->name);
+                p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath);
+            }
+        }
+    }
+
+    {
+
+        https_port_list *s;
+
+        for (s = Config.Sockaddr.https; s != NULL; s = s->next) {
+            debug(3, 1) ("Initializing https_port %s:%d SSL context\n", inet_ntoa(s->s.sin_addr), ntohs(s->s.sin_port));
+            s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->dhfile);
+        }
+    }
+
 #endif
 }
 
@@ -1710,12 +1742,6 @@ parse_peer(peer ** head)
         p->digest = cbdataReference(pd);
     }
 
-#endif
-#if USE_SSL
-    if (p->use_ssl) {
-        p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath);
-    }
-
 #endif
     while (*head != NULL)
         head = &(*head)->next;
@@ -2725,6 +2751,7 @@ free_generic_http_port_data(http_port_list * s)
 {
     safe_free(s->name);
     safe_free(s->defaultsite);
+    safe_free(s->protocol);
 }
 
 static void
@@ -2834,6 +2861,12 @@ cbdataFree_https_port(void *data)
     free_generic_http_port_data(&s->http);
     safe_free(s->cert);
     safe_free(s->key);
+    safe_free(s->options);
+    safe_free(s->cipher);
+    safe_free(s->cafile);
+    safe_free(s->capath);
+    safe_free(s->dhfile);
+    safe_free(s->sslflags);
 }
 
 static void
@@ -2890,11 +2923,6 @@ parse_https_port_list(https_port_list ** head)
         }
     }
 
-    s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->dhfile);
-
-    if (!s->sslContext)
-        self_destruct();
-
     while (*head)
         head = (https_port_list **)&(*head)->http.next;
 
diff --git a/src/client_side.cc b/src/client_side.cc
index 4d60b8dbb0..8528c0e983 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side.cc,v 1.674 2004/11/16 23:11:46 wessels Exp $
+ * $Id: client_side.cc,v 1.675 2004/12/08 00:06:04 hno Exp $
  *
  * DEBUG: section 33    Client-side Routines
  * AUTHOR: Duane Wessels
@@ -3052,6 +3052,11 @@ clientHttpsConnectionsOpen(void)
             continue;
         }
 
+        if (s->sslContext == NULL) {
+            debug(1, 1) ("Can not accept HTTPS connections at %s, port %d\n",
+                         inet_ntoa(s->http.s.sin_addr), (int) ntohs(s->http.s.sin_port));
+        }
+
         enter_suid();
         fd = comm_open(SOCK_STREAM,
                        IPPROTO_TCP,
diff --git a/src/ssl_support.cc b/src/ssl_support.cc
index ddf7a6e782..833c471b48 100644
--- a/src/ssl_support.cc
+++ b/src/ssl_support.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: ssl_support.cc,v 1.17 2004/11/06 22:03:57 hno Exp $
+ * $Id: ssl_support.cc,v 1.18 2004/12/08 00:06:04 hno Exp $
  *
  * AUTHOR: Benno Rice
  * DEBUG: section 83    SSL accelerator support
@@ -465,8 +465,6 @@ sslCreateServerContext(const char *certfile, const char *keyfile, int version, c
     if (!CAfile)
         CAfile = clientCA;
 
-    debug(83, 1) ("Initialising SSL.\n");
-
     switch (version) {
 
     case 2:
@@ -627,8 +625,6 @@ sslCreateClientContext(const char *certfile, const char *keyfile, int version, c
     if (!certfile)
         certfile = keyfile;
 
-    debug(83, 1) ("Initialising SSL.\n");
-
     switch (version) {
 
     case 2: