- Defines three steps of the SSL bumping processing:
step1: Get TCP-level and CONNECT info. Evaluate ssl_bump and perform
the first matching action (splice, bump, peek, stare, terminate,
or err)
step2: Get SSL Client Hello info. Evaluate ssl_bump and perform the
first matching action (splice, bump, peek, stare, terminate,
or err). Peeking usually prevents future bumping. Staring
usually prevents future splicing.
step3: Get SSL Server Hello info. Evaluate ssl_bump and perform the
first matching action (splice, bump, terminate, or err).
In most cases, the only remaining choice at this step is
whether to terminate the connection. The splicing or bumping
decision is usually dictated by either peeking or staring at the
previous step.
- The ssl_bump ACLs list may evaluated in all SSL Bumping processing steps to
take a decision for the next step:
splice or none: Become a TCP tunnel without decoding the connection.
bump: Establish a secure connection with the server and, using a
mimicked server certificate, with the client
peek: Receive client (step1) or server (step2) certificate while
preserving the possibility of splicing the connection. Peeking
at the server certificate usually precludes future bumping of
the connection.
stare: Receive client (step1) or server (step2) certificate while
preserving the possibility of bumping the connection. Staring at
the server certificate usually precludes future splicing of the
connection.
terminate or err: Close client and server connections.
All actions except peek and stare correspond to final decisions: Once an
ssl_bump directive with a final action matches, no further ssl_bump
evaluations will take place, regardless of the current processing step.
- Add the atstep acl to match against SSL bumping step: "step1", "step2" or
"step3"
Current Implementation details:
---------------------------------
1) If the "peek" mode selected in step2 then the client hello message
forwarded to server. If this mode selected in step2 the splice is always
possible and bump maybe is not possible (in most cases where the client uses
different SSL client library implementation)
2) If the "stare" mode selected in step2 then the squid builds a new
hello message, which try to mimic, if it is possible , client hello message.
If stare selected in step2 the bump is always possible, but splice maybe is
not possible any more.
3) In step3 if bump decided, and bump is not possible any more then squid
is always splicing.
4) In step3 if splice decided but splice is not possible any more then
squid is always bumping.
5) Because of (3) and (4), in practice, if firefox browser used with
peek mode, squid always splice the connection, because squid/openSSL
does not support the firefox SSL features reported in client hello message.
6) In step2 if ACL list evaluation result to terminate or err then we just
close client connection. If the check result to ssl-bump then just bump.
If check result to client-first, server-first, then bump the connection
else do peek/stare.
7) In step3 the ssl_bump ACL list evakuation result client-first, server-first,
bump or peek result to bumping (if bumping is possible).
This access list is a temporary solution for peek-and-splice project and used to
take the final decision "bump" or "splice" in peek-and-splice bumping mode.
This is what this patch try to do:
- Get Client Hello message
- Start connection.
- Inside bio, before write the SSL HELLO message, try to emulate client hello
message:
a) extract client hello message features
b) Check if we are able support client features and if not, splicing is not
able to be supported.
c) Creates an SSL object to connect to server and try to set it with
the extracted features.
This step currently includes many hacks and modify undocumented SSL
object members.
extensions)
- in PeerConnector.cc
a) If can not be spliced do not splice.
b) check the ssl_bump_peeked access list to splice or not.
Replace the HttpMsg::protocol member (only used by HttpRequest) with a
class URL member HttpRequest::url. To do this we adjust the class URL
scheme_ member to be mutable via the makeScheme() setter, and add a
clear() method to reset its internal state. These are necessary for
HttpRequest init() and initHTTP() mechanisms, but fiddling with the
scheme should be avoided as much as possible.
Remove the hack of forcing internal requests to http:// for processing
and cache lookup, then to internal:// for FwdState. Instead use the
available flags.internal for requests identified to be served by this proxy.
Drop the non-standard and now meaningless "internal://" scheme.
Add debugging to display what internal indicators are detected and when
the internal*() server and CacheManager are used by FwdState.
Also document HttpMsg::http_ver which is a copy of the HTTP-Version
field in the "on-wire" message syntax. It is unrelated to the socket
transport protocol and the URL scheme protocol.
author: Alex Rousskov <rousskov@measurement-factory.com>, Christos Tsantilas <chtsanti@users.sourceforge.net>
Ssl::PeerConnector class
This patch investigates the new Ssl::PeerConnector class. This class connects
Squid client-side to a SSL cache_peer or SSL server. It is used by
TunnelStateData and FwdState to initiate and establish the SSL connection.
This class handles peer certificate validation.
The caller receives a call back with PeerConnectorAnswer. In the SSL connection
is not established because of an error, an error object suitable for error
response generation is attached to PeerConnectorAnser
The Ssl::PeerConnector class includes the old SSL initialization code from
FwdState class.
The squid.conf parser does not accept whitespace in the IFDEF: parameter
values. This was hiding parse issues when high_memory_warning was used
without gnumalloc.h availability.
Also, sort the cf_gen_defines array alphabetically by IFDEF: value for
easier maintenance.
Docs: mention byte units and maximum_object_size/cache_dir relationship
* we are having users configure rounded n MB or n GB values as KB numbers
unnecessarily from misunderstanding the unit measures. Document which
units Squid understands to assist simplifying these configs.
* the maximum_object_size directive has been a "toggle" default for
cache_dir max-size for some time but the dependency of having it
placed before cache_dir it is supposed to affect has not been
documented. Add the documentation, and re-order the default config
directive positions.
This is may cause problems in some cases where the code assume that the MemBuf
is always NULL terminated. For example when an ErrorState object try to use
an empty errorpage template.
This patch terminates the (empty) MemBuf on MemBuf::init method.
Cleanup: Make crypt(3) detection dependent on the helpers that use it
Only run detection for crypt(3) support when the NCSA and getpwnam
helpers which use it are to be built.
Also, move shadow.h detection to depend on getpwnam helper which is the
only code using it.
Also, shuffle the libcrypt and libmd5 detection up into the section with
other crypto libraries so they are known in advance of helper detections
which may require libcrypt.
Fix OpenSSL detection when an explicit path is given
The previous OpenSSL detection was skipping the library checks when an
explicit path was presented. Resulting in no -lssl flag being passed to
the linker.
Rational for this fix:
pkg-config presents location-neutral details.
The explicit checks are likewise neutral provided the LIBS environment
variable has been set with the explicit path.
User presented path must be used regardless of which the library checks
are used in detection.
So...
Always perform the checks with optionally set LIBS and keep the
user provided path explicitly separate from the pkg-config *_LIBS
variable. Only assemble the parts into SSLLIB once all have been
identified.
Amos Jeffries [Mon, 31 Mar 2014 04:46:50 +0000 (21:46 -0700)]
Cleanup: make loadable modules build variables follow Squid3 coding guidelines
Squid-3 coding guidelines mandate that AM_CONDITIONAL variables begin
with ENABLE_* and AC_DEFINE macros begin with USE_* to resolve confusion
over which is relevant.
Amos Jeffries [Sun, 30 Mar 2014 12:00:34 +0000 (05:00 -0700)]
Cleanup: replace USE_SSL wrapper macro with USE_OPENSSL
Squid-3 currently only supports OpenSSL for SSL/TLS components. This
makes the support type explicit and prepares for alternative SSL
libraries to be added in future with different macro wrappers.
Amos Jeffries [Sun, 30 Mar 2014 06:46:34 +0000 (23:46 -0700)]
Fix buffer overruns in generated NTLM tokens
The NTLM token payload (string value) encoding was not protecting fully
against 16-bit and 8-bit wrap errors and signedness conversions.
This protects against the wrap and conversion errors by truncating at
the maximum field length. That length limit is vastly larger than NTLM
protocol specified field sizes and permitted HTTP header sizes so is not
expected to cause issues with existing implementations.
Amos Jeffries [Sun, 30 Mar 2014 06:41:27 +0000 (23:41 -0700)]
crypto-ng: Drop --enable-ssl build option
This confgure option was fully overlapping --with-openssl.
Simplify the build options and cleanup in preparation for crypto-ng as
SSL functionality will be enabled by default in future when any of the
supported SSL/TLS libraries is available.
Amos Jeffries [Sat, 29 Mar 2014 11:15:13 +0000 (04:15 -0700)]
C++11: Upgrade auto-detection to use the formal -std=c++11
When the latest compilers added support for -std=c++11 they also dropped
the temporary -std=c++0x option without backward-compatible support. So
for the newest compilers we have not been testing the C++11 code.
As a result of this change Squid will no longer attempt to enable the
partial support in older compilers with -std=c++0x.
Also, update the compiler option test macro from autoconf project.
Amos Jeffries [Mon, 24 Mar 2014 04:57:32 +0000 (21:57 -0700)]
Parser-NG: Convert the ConnStateData input buffer to SBuf
Prepare the way to efficiently parse client requests using SBuf based
parser-ng.
IoCallback stores a raw-pointer to the ConnStateData::In::buf member
object rather than an SBuf reference to the backing MemBlob or char*
store so that only the short (blocking) FD_READ_METHOD() call needs to
provide any synchronous guarantees. We also particularly need a direct
(raw) pointer to the ConnStateData member to prevent the possible
read/consume collisions causing problems with the ConnStateData callback
and avoid having to merge two separate SBuf.
This patch fixes the following bug:
1) A user sends a CONNECT request with valid credentials
2) Squid checks the credentials and adds the user to the user cache
3) The same user sends a CONNECT request with invalid credentials
4) Squid overwrites the entry in the user cache and denies the second
CONNECT request
5) The user sends a GET request on the first SSL connection which is
established by now
6) Squid knows that it does not need to check the credentials on the
bumped connection but still somehow checks again whether the user is
successfully authenticated
7) Due to the second CONNECT request the user is regarded as not
successfully authenticated
8) Squid denies the GET request of the first SSL connection with 403
ERR_CACHE_ACCESS_DENIED
On proxies with Basic authentication and SSL bumping, this can be used
to prevent a legitimate user from making any HTTPS requests
Amos Jeffries [Sun, 23 Mar 2014 05:17:14 +0000 (23:17 -0600)]
Portability: invert the basic_nis_auth header check
autoconf macro will set its action-if-found if *any* of the headers is
found. Since these are mandatory headers being tested for we need to
disable if any are missing rather than enable on finding one works.
Amos Jeffries [Sat, 15 Mar 2014 02:30:08 +0000 (19:30 -0700)]
Push SBuf down into Comm::IoCallback
Use a pointer to the SBuf instead of the rawSpace() because using a SBuf
copy can potentially cause different MemBlob to exist behind the Comm
read classes and the caller (ConnStateData) class. They need to be kept
identical so as not to loose any existing bytes in the I/O buffer when
a read callback handler is run.
Pointer to SBuf also avoids race conditions between comm_read async calls
and BodyPipe notifications which can potentially change the MemBlob
underneath comm_read() and invalidate te char* buffer pointer used
previously.
projects / thirdparty / squid.git / log
