Browser vendors will get rid of SSL certificates that use SHA-1 to generate
the hash that is then signed by the CA. For example, Google Chrome will start
to show an "insecure" sign for certificates that are valid after 1.1.2016 and
will generate a warning page for certificates that are valid after 1.1.2017 [1],
[2],[4]. Microsoft will block certificates with SHA-1 after 1.1.2017 [3].
This patch:
1) Add a new configuration option to select the signing hash for
generated certificates: sslproxy_cert_sign_hash.
2) If sslproxy_cert_sign_hash is not set, then use the sha256 hash.
This patch add support for the "Validate server certificates without bumping"
use case described on the Peek and Splice wiki page:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
This patch send to the certificate validation helper the certificates and
errors found in SslBump3 step, even if the splicing mode selected.
In the case the validation helper found errors in certificates an error
page returned to the http client.
The SSL error forwarding is controlled by ACLs along these lines:
sslproxy_cert_error allow sslBoringErrors
sslproxy_cert_error allow serversWithInvalidCerts
sslproxy_cert_error deny all
Amos Jeffries [Thu, 2 Oct 2014 12:07:26 +0000 (05:07 -0700)]
Portability: provide xstatvfs() shim for system call statvfs()
statfs() and struct statfs have been deprecated for years. Hoewver the
POSIX statvfs replacements are still not universally available.
Remove deprecated statfs() and struct statfs usage from Squid. Although
they may still be used by the xstatvfs() compatibility wrapper if they
are the only available API.
- Record SSL bump action at each bumping step in the Ssl::ServerBump.
The new Ssl::ServerBump::act member added for this purpose.
- Split Ssl::PeerConnector::checkForPeekAndSplice to two methods
(checkForPeekAndSplice and checkForPeekAndSpliceDone) add some
documentation, and polish the code.
- Polish httpsSslBumpStep2AccessCheckDone function (client_side.cc file)
The PID and thus parent process PID concept is not available in Windows
and MinGW at least lacks the API mechanism.
This may re-open an issue with kid processes notifying the coordinator
when they are shutting down. If so we need to find an alternative
mechanism to replace this use of kill(getppid(), SIGUSR1)
Cleanup: convert AuthUserIP from CBDATA to MEMPROXY class
This object was not needing to be passed as callback arguments
but was using CBDATA type to gain memory pooling.
Converting to the correct pooling mechanism removes some more
uses of cbdataFree() and ensures the object and its members
destructors are called properly.
Cleanup: use SBuf::npos instead of npos in SBuf::append()
Small experiment. It is possible on some systems that std::npos / ::npos
is defined with a different integer size and value.
This may be what is confusing Coverity scan and producing buffer overrun
alerts in the append() c-string with default parameter case.
If ConfigParser::QuotedOrToEol() happend to return NULL. Which may happen
if there is no token before end of current file the auth module config
parser would crash.
Do not crash when sending %ssl::cert_subject to external ACL w/o certificate.
An ACL check in ConnStateData::postHttpsAccept (e.g., when dealing with an
intercepted SSL connection) uses an HttpRequest object that is not yet linked
with the ConnStateData object. Do not blindly dereference the pointer to the
latter.
Fixes a squid crash when a foreign protocol client connected to an https_port
The Ssl::Bio::read will fail to recognize SSL protocol and will return "-1"
as readed SSL bytes. The Ssl::ClientBio::read must return error (-1)
in this case.
Send selected SSL version and cipher to the certificate validation helper.
This patch sends the selected cipher suite and the selected SSL/TLS version
to the certificate verification helper using the "proto_version=v" and
"cipher=c" key=value pairs.
On MinGW at least macro replacement appears to be case insensitive.
The lower-case freeaddrinfo/initaddrinfo system functions are defined
with macros, both in MinGW headers and Squid libcompat.
SourceLayout: rename auth module files to match guidelines
* Squid-3 coding guidelines require that files are named after the
class(es) contained within. Rename the files containing auth Config
classes to match.
* Remove the unused DefaultAuthenticateChildrenMax macros.
* simplify included headers in auth modules.
* alphabetize the order auth modules are detected.
Windows: Fix error displaying helper name on pipe close errors
The helper name string is not directly available to the HelperServerBase
methods for closing pipes. Pass it from the method callers as needed and
drop logging of the command line details.
idnsParseResolvConf() had been disabled for all windows builds. Cygwin
does provide this system config file.
Also, instead of seeding #if/#endif wrappers around always call the
function and just wrap its internals away from Windows builds that do
not supply the necessary config file.
Portability: rename BodyPipe member to avoid clash with pipe() macro
Our Windows compatibility layer defines pipe() as a macro. On MinGW at
least the precompiler makes no distinction between parameterless macro
pipe() and pipe variables.
Use thePipe for member naming and aPipe for function local variables.
Windows: fix mapping between POSIX and Windows socket types
MinGW at least still defines several socket structure fields with size_t
instead of socklen_t. In order to maintain the POSIX API definition in
appearance we need to cast these types to their POSIX variant regardless
of whether size_t or socklen_t is used.
* Windows defines CMSG_DATA macro name for uses unrelated to the BSD
socket CMSG mechanism. Define SQUID_CMSG_DATA as a generic replacement.
* MinGW provides a wrapper layer emulating the BSD socket CMSG mechanism
in the form of WSA_CMG_* macros for the BSD struct types.
Detect and use those wrapper macros when available.
Cleanup: wrap some C-includes with protective macros
Squid-3 guidelines require that C-header includes should be wrapped
and the absence of wrapping causes build errors on Windows at least for
these ones.
Source Maintenance: fix various maintenance script issues
* ensure auto-generated .list are sorted, instead of ad-hoc system
dependent ordering which can cause needless updates.
* grep only paths with *.* (usually files) instead of all items in each
directory. This avoids scanning sub-directory indexes with grep, which
produces fatal errors on some systems.
* add check for Squid Software Foundation copyright blurb and highlight
files needing attention.
%<tt (total server time) is not computed in some cases
The total server time is not computed for CONNECT requests.
An other example case is when server-first bumping mode is used and squid
connects to SSL peer, but connection terminated before the SSL handshake
completes.
PROXY protocol has been developed by Willy Tarreau of HAProxy for
communicating original src and dst IP:port details between proxies and
load balancers in a protocol-agnostic way.
stunnel, HAProxy and some other HTTP proxying software are already
enabled and by adding support to Squid we can effectively chain these
proxies without having to rely on X-Forwarded-For headers.
This patch adds http_port mode flag (require-proxy-header) to signal the
protocol is in use, parsing and processing logics for the PROXY protocol
headers on new connections, and the proxy_protocol_access control to
manage inbound connections.
The indirect client security/trust model remains unchanged. As do all
HTTP related logics on the connection once PROXY protocol header has
been received.
Furture Work:
* support sending PROXY protocol to cache_peers
* support receiving PROXY protocol on https_port
* rework the PROXY parse logics as a Parser-NG child parser.
Close active pconns after their *_port goes away on reconfigure.
This change reduces what may be perceived as reconfigure memory leaks
related to *_port options. Before this change, a single persistent
connection could continue to receive new requests (and tie no longer
globally accessible PortCfg-related structures) for hours.
The goal of this patch is to make SSL bumping decision after the origin server
name is known.
Peek and Splice peeks at the SSL client Hello message and SNI info if any
(bumping step 1), sends identical or a similar Hello message to the SSL server
and peeks at the SSL server Hello message (bumping step 2), and finally
decides to proceed with splicing or bumping the connection (bumping step 3).
After the step 1 bumping step completes the SNI information is available and
after the step 2 bumping step completes the server certificate is available.
The ssl_bump access list evaluated on every bumping step to select the bumping
mode to use. The new acl "at_step" can be used to match the current bumping
step.
In most cases:
- if the user select "peek" bumping mode at step2 then at step3 can select
one of the "splice" or "terminate" modes.
- If the user select "stare" bumping mode at step2 then at step 3 can select
one of the "bump" or "terminate" modes.
If the squid built with the SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK and the
client uses openSSL library similar to the library used by squid then bumping
is possible after "peek" bumping mode selection and "splice" after "stare"
bumping mode selection.
The bump, terminate and splice are final decisions.
Fixes and polishing in response to Amos' squid-dev review dated 2014/08/19
- Polishing changes
- Move src/acl/AtBumpStep*.[cc,h] files to src/acl/AtStep*.[cc,h]
- Convert Ssl::Bio::sslFeatures::serverName,
Ssl::Bio::sslFeatures::HelloMesssage and Ssl::ServerBio::helloMsg members
to SBuf
Amos Jeffries [Tue, 26 Aug 2014 02:39:30 +0000 (19:39 -0700)]
Boilerplate: update acinclude/ and configure.ac copyrights
* update CONTRIBUTORS with missing contributors
* update CREDITS with missing copyright licenses
- remove outdated Treehouse Networks license on rfc3596.h rfc3596.cc
- shuffle some entries for easier reading. Alphabetical by first source
file path.
* split AX_WITH_PROG() macro into its own source file to clarify the
license scope. It is provided as a standalone file by the author(s).
Amos Jeffries [Mon, 25 Aug 2014 15:47:04 +0000 (08:47 -0700)]
Boilerplate: update copyright licenses on include/ sources
* add Squid Software Foundation blurb
* update CONTRIBUTORS with missing authors
* update CREDITS with missing license and copyright statements
It looks a bit messy, but Carnegie Mellon Univeristy license requires
that several very similar but unique copyright and license blurbs be
documented unabreviated.
Squid-3 is now being administered by the Squid Software Foundation,
a non-profit organisation created for the purpose of providing
governance and representation for the Squid Project and community
of contributors.
http://www.squid-cache.org/Foundation/
As such the Squid source code collection is being prefixed with a
new copyright blurb:
* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
Existing copyright claims on specific source code files are being
preserved in-situ following this collection blurb.
With some exceptions where existing copyright owners have explicitly
given permission for their specific claim statements to be moved to
the CONTRIBUTORS file and assist removal of the inconsistent and
now often incorrect Harvest and Squid Project blurb(s).
This patch publishes the script and boilerplate text used to perform
this change of copyright marking for public review.
Also, adds some administrative polishing in preparation for the
blurb adjustments.
Amos Jeffries [Mon, 25 Aug 2014 04:53:57 +0000 (21:53 -0700)]
Cleanup: remove SQUID_NO_STRING_BUFFER_PROTECT and SQUID_UNIT_TEST macros
These macros were used solely to prevent cppunit and operating system
includes from generating build errors and warnings via Squid protection
from unsafe use of sprintf, strdup and other allocator and string
functions.
The protection against these functions has long ago been move to
source-maintenance script instead of runtime checking. Making these
macros obsolete.
projects / thirdparty / squid.git / log
