Squid closes the SSL client connection with "Failed to start fake CONNECT
request for ssl spliced connection". This happens especially often when
the pipeline_prefetch configuration parameter is set to "0" (i.e., default).
When a transparent SSL connection is peeked and then spliced in step2, we are
generating a fake CONNECT request. The fake CONNECT request is counted as a
new pipelined request and may exceed the configured limit. This patch solves
this problem by raising the limit for that request.
Needs more work to better identify the requests that need a different limit.
Joshua Root [Wed, 25 Feb 2015 13:32:14 +0000 (14:32 +0100)]
Bug 3805: support shared memory on MacOS X in Mem::IPC::Segment
MacOS X doesn't support the O_TRUNC flag to shm_open; it is redundant anyway
because the shared memory segment is truncated immediately after opening
as per best practices. With this support Squid can now be built and run
under MacOS X.
Amos Jeffries [Mon, 23 Feb 2015 06:34:49 +0000 (22:34 -0800)]
Remove cache_peer_domain directive
Identical functionality is provided through cache_peer_access.
While this check appears at face value to be simpler than ACLs, the
reality is that:
* the difference is simply the time it takes to initialize and destruct
an on-stack Checklist,
* processing the checks may take longer than ACLs (linked-list of string
comparisons vs single tree lookup),
* ACLs are the common case due to their extra flexibility, and
* extra work is being done per-transaction just to check which of the
two features is in use.
By removing we gain less code and configuration directives to work
around in the long term.
Amos Jeffries [Sat, 21 Feb 2015 12:29:16 +0000 (04:29 -0800)]
Use RefCount::dereference() correctly in move assignment
The dereference() member is actually an update operation on the stored
pointer. We can and should just use it to steal the others pointer
instead of using it on our own then stealing.
Amos Jeffries [Thu, 19 Feb 2015 02:50:51 +0000 (18:50 -0800)]
basic_nis_auth: fail authentication on crypt() failures
... instead of crashing the helper.
"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"
Amos Jeffries [Thu, 19 Feb 2015 02:48:23 +0000 (18:48 -0800)]
basic_getpwnam_auth: fail authentication on crypt() failures
... instead of crashing the helper.
"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"
Problem description:
- Squid sslproxy_options deny the use of TLSv1_2 SSL protocol:
sslproxy_options NO_TLSv1_2
- Squid uses peek mode for bumped connections.
- Web client sends an TLSv1_2 hello message and squid in peek mode, forwards
the client hello message to server
- Web server respond with an TLSv1_2 hello message
- Squid while parsing server hello message aborts with an error because
sslproxy_options deny the use ot TLSv1_2 protocol.
This patch fixes squid to ignore sslproxy_options when peek or stare bumping
mode selected on bumpStep2 bumping step.
The sslproxy_options applied if bump (server-first or client-first) mode
selected on bumpStep1 or bumpStep2 bumping step.
Also applied for "GET https://..." requests.
The original intent for this option was to improve caching. However
HTTP/1.1 permits caching of authenticated messages under conditions
which Squid does check for and obey already.
The legacy popularity of this option from old Squid without the HTTP/1.1
compliant behaviour is now just forming a security and privacy abuse.
Amos Jeffries [Tue, 10 Feb 2015 22:55:58 +0000 (14:55 -0800)]
Parser-NG: HTTP request-line parser replacement
Converts the request-line parse method from a char* string parser to
using ::Parser::Tokenizer based processing.
* The characters for each token are now limited to the RFC 7230
compliant values. The URI is taken as a whole token and characters which
are valid in only one sub-token segment are accepted regardless of their
position. In relaxed parse that is extended beyond the valid URI
characters to include the whitespace characters.
* Whitespace tolerance is extended to include "binary" whitespace VTAB,
HTAB, CR and FF characters specified in RFC 7230.
* The Squid specific tolerance for whitespace prefix to method is
removed. RFC 2730 clarifies that tolerance before request-line is
specfifically and only for whole empty lines (sequences of CRLF or LF).
* The unit tests are extended to check strict and relaxed parse within
the new characterset limits. Drip-feed incremental test updated to check
both parser modes explicitly.
* ::Parser:Tokenizer is extended with methods to skip or retrieve a
token at the suffix of the stored buffer. This is used by the whitespace
tolerant parse to process the URL and HTTP-version tokens from the line
"backwards" from the LF position.
CoAdvisor and Polygraph show no differences. Which is expected since
coadvisor does not test RFC 7230 edge cases (yet), and polygraph is not
stressing incremental parse capabilities.
Eldar Akchurin [Tue, 10 Feb 2015 03:44:32 +0000 (19:44 -0800)]
Bug 4073: Cygwin compile errors
Remove the definition of _SQUID_WINDOWS_ for Cygwin builds. The blend
of win32 and Linux environments is sufficiently different to have major
build issues. We have a precedent in kFreeBSD blend of BSD and Linux to
consider Cygwin a blend and first-class OS.
Also, temporarily disable the Win32-specific libraries and objects until
they can be properly tested.
Fix some small remaining compile errors after the above.
Cygwin Windows build is sponsored by Diladele B.V.
Amos Jeffries [Fri, 6 Feb 2015 21:23:19 +0000 (13:23 -0800)]
Fix for Coverity Scan false positives in SBuf
Coverity scanner gets badly confused with SBuf::npos being used as
default parameter value, even though its used to indicate that
strlen() needs to be used on the string.
This is an experiment to see if it gets less confused by having
explicit overloads for the two cases and not using SBuf::npos value
in relation to the unknown length c-strings.
Amos Jeffries [Fri, 6 Feb 2015 20:09:03 +0000 (12:09 -0800)]
Fix crash when parsing invalid squid.conf
If a time value is going to overflow with default units the
critical debugs() can trigger a segfault instead of logging
and aborting Squid with self_destruct().
Amos Jeffries [Fri, 6 Feb 2015 12:46:54 +0000 (04:46 -0800)]
Add tolerance for whitespace within URI
RFC 7231 advises that there are still clients failing to properly encode
characters within URI. Tolerant parsers should accept that, and later
'reject' with a redirection to a properly encoded form of the URL.
Amos Jeffries [Wed, 4 Feb 2015 21:37:28 +0000 (13:37 -0800)]
Drop unused cbdata.h definitions and re-document
Remove the now unused cbdataFree, cbdataAlloc, CBDATA_TYPE,
CBDATA_INIT_TYPE, CBDATA_INIT_TYPE_FREECB symbols.
Re-write CBDATA documentation to reflect the current available
API symbols, their usage, and mechanisms that should be used
instead of CBDATA such as AsyncJob/Call and RefCount.
Along with some doxygen polishing to meet currently agreed
style for how to document major code features.
Make generic_cbdata::data a private member. The constructor
and unwrap() operator provide all necessary public API.
Replace store_client.cc use of cbdataInternalLock/Unlock with
a CbcPointer<> smart pointer equivalent. The use remains an
abuse of CBDATA, just no longer directly referencing the
internal API functions.
Amos Jeffries [Wed, 4 Feb 2015 17:38:27 +0000 (09:38 -0800)]
Fix some cbdataFree related memory leaks
The delete operator should have been called for these objects after
previous code changes converted them to CBDATA_CLASS. As a result any
member objects relying on their destructor to cleanup were being leaked.
Also, make generic_cbdata::data a private member. The unwrap() method is
easily used now.
Amos Jeffries [Sun, 1 Feb 2015 21:25:46 +0000 (13:25 -0800)]
Cleanup: migrate CachePeer to CBDATA_CLASS API
Replace the alloc/free for CachePeer with new/delete from
the CBDATA_CLASS API.
Shuffle class member default values to constructor.
Shuffle class cleanup code from the (3!) different mechanisms
where it was being done to the class destructor. Also
releasing some memory which was previously leaked on
reconfigure.
Drop the now unused CBDUNL type definition and peerDestroy()
cleanup handler for CachePeer.
Amos Jeffries [Sat, 31 Jan 2015 19:09:22 +0000 (08:09 +1300)]
Per-rule refresh_pattern matching statistics
.. to make it blindingly obvious from the cachemgr report which rules
are completely useless. Such as when the global dot pattern (.) is
placed ahead of custom rules, or one rules pattern is always a subset
of an earlier pattern.
This also allows sysadmin to tune refresh_pattern ordering so most
commonly matching rules are first.
Amos Jeffries [Sat, 31 Jan 2015 14:10:25 +0000 (06:10 -0800)]
Stop emitting (Proxy-)Authentication-Info for Negotiate
This header is not defined for use by RFC 4559, and there seem to
be no clients actually using it.
The syntax Squid was using to emit the details was also clashing
with the syntax defined for use in Digest which is becoming the
standardized ABNF syntax for the header in general.
Amos Jeffries [Sun, 25 Jan 2015 04:48:21 +0000 (20:48 -0800)]
Remove dst ACL dependency on HTTP request message existence
The ACL checklist dst_addr member can be used in cases where the HTTP
message is not provided. Such as ssl_bump, ICAP outgoing IP, or peer
selection probes.
When he prefix() method is passed a set limit for characters to scan and
the matched characters do reach that limit the entire Tokenizer buffer
content is consumed and returned.
Correct operation is to only consume and return the matched characters.
Add missing root CAs when validating chains that passed internal checks.
When internal checks found no certificate errors, Squid does not include root
CA certificate in certificates chain sent to the certificate validator. Squid
just sent the certificates chain sent by the SSL server.
This patch stores the full certificates list built by OpenSSL while validating
the SSL server certificates chain, even if no certificate error found and sends
this list to certificate validator.
Amos Jeffries [Thu, 22 Jan 2015 12:54:08 +0000 (04:54 -0800)]
RFC 7230 compliant request-line parser based on Tokenizer API
Refactor the request-line parser using a Tokenizer.
RFC 7230 requirements provide field terminator/delimiter limitations and
character sets for token validation. Also provides definitions of
boundaries for relaxed/tollerant parsing without needing Squid-specific
RFC violations.
This implementation is slightly stricter regarding whitespace in URLs
than previous implementation. It obeys a SHOULD requirement in RFC 7230
regarding responding with 400 status to those broken request messages.
projects / thirdparty / squid.git / log
