Add the following methods:
- Ssl::CrtdMessage::parseRequest: Parse a ssl_crtd "new certificate" request and
store the requested certificate properties to a CertificateProperties object
- Ssl::CrtdMessage::composeRequest: Generate a "new certificate" ssl_crtd
request using the certificate properties given by a CertificateProperties
object
- Ssl::CertificateProperties::dbKey: Return a valid key for the generated
certificate to be used with a (memory or disk) database, based on its
properties
Others:
- The ssl_crtd.cc code simplified using the above methods
- The ConnStateData::buildSslCertGenerationParams and ConnStateData::getSslContextStart
simplified using the above methods
Alex Rousskov [Fri, 3 Feb 2012 18:01:27 +0000 (11:01 -0700)]
Disable persistent connections after client-side-detected errors.
HTTP does not require to close the connection after most errors, but some
client-side-detected errors (those detected by clientProcessRequest) are about
HTTP message framing and should result in connection closure. For other
client-side-detected errors (those detected in serveDelayedError), the
client-side code is just not ready to handle persistency well:
* If we leave flags.readMore as true, then a new request on the same
connection may find bumpErrorEntry set and think there is a delayed error
that needs to be served, but that StoreEntry object has been already used.
And we should not simply clear bumpErrorEntry because it is not locked by
the error writing code using it. There may be other problems as well (and it
is likely the connection is not usable anyway because the fake certificate
was rejected by the client).
* If we set flags.readMore to false then we will not resume reading after
serving the error, causing "abandoning such and such connection" errors
and stuck ConnStateData jobs.
Thus, in summary, we should set flags.readMore to false and, if we do that, we
should also set proxy_keepalive to zero so that we close the connection after
serving the error to the client.
Replace the hard coded implementation for default signing algorithm applied
to generated certificates which does not match the configured sslproxy_cert_sign
access list, with default acl lines.
The new tag POSTSCRIPTUM added to the cf.data.pre file which can be used to
append to the user configuration some default config lines.
This patch add the following ACLs to test the condition of the origin server
certificate: ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch,
ssl::certUntrusted and ssl::certSelfSigned.
The above in this patch are predifined acl lists or/and can be used as error
name shortcuts with ssl_error ACL lists
Implementation details:
1) The ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch
ssl::certUntrusted and ssl::certSelfSign acl lists are predifined in cf.data.pre
2) The above names can also used as error names. The ssl-error parser
(Ssl::ParseErrorString function) replace them with the appropriate SSL error
list.
3) The Ssl::ParseErrorString function modified to return a list of errors, not
just an error code.
4) I implement the IFDEF /ENDIF block support for cf.data.pre file.
Bug fix: broken intermediate certificate is mimicked instead of the origin server certificate
In the case of SSL error we are trying to get the server ssl certificate from
the Ssl::ErrorDetail object using the Ssl::ErrorDetail::peerCert method.
But with the current implementation this method does not return the peer
certificate but instead the broken certificate which may be different than the
peer certificate.
This patch:
1) Stores both server and broken certificate in Ssl::ErrorDetail objects
2) Fix the Ssl::ErrorDetail::peerCert method to return always server certificate
3) Add a new method the Ssl::ErrorDetail::brokenCert which return the broken
certificate
Alex Rousskov [Wed, 1 Feb 2012 19:12:41 +0000 (12:12 -0700)]
Set logged status code (%<Hs) to 200 when establishing a bumped tunnel.
Bumped CONNECT requests are logged separately and we always use 200 status
code when bumping them. Eventually, tunnel and bumping code should use
real HttpReply objects instead of writing hard-coded reply strings that
logging code has no access to.
Alex Rousskov [Wed, 1 Feb 2012 06:05:08 +0000 (23:05 -0700)]
Add FwdState close handler to pinned connections.
Without a close handler, we will not notice when Server forcefully closed the
connection (e.g., when receiving a zero-size response due to a pconn race)
and, hence, will not retry the connection (or server an error), resulting in a
stuck client (e.g., again, when the server received a zero-size response).
Alex Rousskov [Wed, 1 Feb 2012 05:13:24 +0000 (22:13 -0700)]
Replaced PROTO_SSL_PEEK with request_flags::sslPeek and disabled server SNI
for bump-server-first connections.
While PROTO_SSL_PEEK was a safer design option because requests with the
"wrong" protocol scheme would be less likely to leave Squid, it required
all error-generation code to replace the protocol with PROTO_HTTPS so
that error make more sense to end users. We no longer have to do that.
The server-side SNI for bump-server-first connections has to be disabled
because bump-server-first code does not yet know the true intended server name
(even for those CONNECT requests that have server name, it would be a little
risky to use CONNECT info for SNI). That name could be eventually obtained
from the client before we peek at the server certificate but that work
is outside this project scope.
Alex Rousskov [Wed, 1 Feb 2012 05:06:08 +0000 (22:06 -0700)]
Do not set request->flags.no_direct for bumped CONNECT requests
because it precludes them from reaching their [direct] destination
unless allow-direct is set on http_port.
where <signing algorithm> can be one of the signTrusted, signUntrusted or
signSelf
Default signing algorithm if the sslproxy_cert_sign is not configured is
signSelf, if the server certificate is self signed, signUntrusted if the server
certificate is untrusted (ERR_INVALID_CA, ERR_SELF_SIGNED_CERT_IN_CHAIN,
ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, ERR_UNABLE_TO_GET_ISSUER_CERT,
ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and ERR_CERT_UNTRUSTED errors) and
signTrusted if the server certificate is trusted.
Notes:
- The signing algorithm passed as parameter to the ssl_crtd daemon
- A self signed certificate generated on squid startup to be used as
signing certificate for untrusted certificates, with CN =
"Squid CA for Untrusted Certificates"
- The configured certificates with http(s)_port squid.conf option chained to
the client SSL connection only when signTrusted signing algorithm selected.
When the signing algorithm is signSelf or signUntrusted no other certificate
send to the client browser.
- A small bug fixed which did not allow the sslproxy_cert_adapt option
to be enabled in squid if the icap client is not enabled
This patch add the sslproxy_cert_adapt option to squid.conf which gives to
squid administrators the required functionality to "fix" a known broken
certificate using acls.
Currently only the "Not After", "Not Before" and "Common Name" fields of a
certificate can be modified/fixed.
The sslproxy_cert_adapt option has the form:
sslproxy_cert_adapt <adaptation algorithm> acl ...
where <adaptation algorithm> is one of the setValidAfter, setValidBefore and
setCommonName.
setValidAfter: sets the "Not After" property to the signing cert's
"Not After" property.
setValidBefore: sets the "Not Before" property to the signing cert's
"Not After" property.
setCommonName: sets certificate Subject.CN property to the host name
from specified as a CN parameter (setCommonName{CN}) or,
if no explicit CN parameter was specified, extracted from
the CONNECT request
When the acl(s) match, the corresponding adaptation algorithm is applied to
the fake/generated certificate. Otherwise, the default mimicking action takes
place.
In the case where the squid-to-server connection closed and we re-connect to
server we need to check if the server certificate changed.
Moreover we need to check stored certificates with the web server certificate
to handle the case the web server certificate is updated. In this case a new
certificate must generated to mimic the updated server certificate fields
Bump-server-first fails with SQUID_X509_V_ERR_DOMAIN_MISMATCH error
When the bump-server-first used we do not always know the hostname of the server
we are connecting to. Thus the the hostname validity check for the
SSL server certificate will fail with SQUID_X509_V_ERR_DOMAIN_MISMATCH error.
This patch does not check if server certificate is valid for the hostname on
bump-server-first case and move this check after the http request received
from the web client
The error pages of failed "ssl bump first" requests contains urls in the form:
ssl_peek://hosrtname:443
This patch fixes this problem adding code which creates a new fake HttpRequest
which is a clone of the "ssl_peek" request but sets the hostname to the CN
retrieved from server certificate and protocol to Https.
The fake HttpRequest object passed to the ErrorState object.
Implement the Ssl::CommonHostName name to recurn the CN from a certificate,
suitable for use as a host name.
Use this function to set the ConnStateData::sslHostName in ConnStateData::httpsPeeked method
Forward a StoreEntry holding the bumped secure connection establishment
error page from the server-side code (which generates the error) to the
client-side code (which delays the error until the first encrypted
request comes). This allows Squid to display the error page to the user
(using secure connection) when bumping intercepted SSL connections. The
code still needs more polishing, including generating errors with host
names and not IP addresses (when possible).
The peeked server certificate is now stored in
ConnStateData::bumpErrorEntry. This allows us to mimic the certificate
of dropped server connections.
Load signing certificate and key when initializing a tproxy-enabled
https_port.
Fixed debugging when opening a peeking connection.
This patch try to mimic true server certificate properties when generating
a fake SSL certificate for SslBump. If ssl_crtd is enabled, it receives the
true server certificate and mimic its properties. Otherwise, the certificate
mimicking code will run in the worker.
Currently the following properties mimicked: subject name, not before/after,
and subject alternate name.
Alex Rousskov [Wed, 14 Dec 2011 18:24:29 +0000 (11:24 -0700)]
Peek at the origin server SSL certificate when bumping intercepted HTTPS.
* Configuration changes:
Allow intercepted SSL connections to be bumped, in addition to the
tproxied SSL connections.
Honor and check ssl-bump flag in https_port. Earlier code apparently
assumed that the flag must be present in http_port and left
Ssl::TheGlobalContextStorage uninitialized if only https_port had the
flag.
* Client-side changes:
Added a new Ssl::ServerPeeker class to do client-side error handling
while peeking at the origin server certificate. Peeking is done at the
server-side. Server-side uses Store and store_client API to report
errors to the client-side. That works OK when the errors can be sent to
the client, but when we bump intercepted connections, the client does
not yet have a secure connection established with Squid so errors cannot
be sent (popular browsers do not display CONNECT-stage errors). Instead,
the errors must be accumulated and sent after the secure connection with
the client is established (in response to the first HTTP request on that
connection). Ssl::ServerPeeker needs work to support such accumulation.
Start Ssl::ServerPeeker job in ConnStateData::switchToHttps() and wait
for somebody to call the new ConnStateData::httpsPeeked() method back.
Needs more work to actually use the peeked certificate and handle
errors.
Changed ConnStateData::switchToHttps() profile to require destination
port number. Without it, we cannot switch intercepted SSL connections
because they do not have a proper request structure that can supply port
details.
Polished pinned connection cleaning code: If our Comm close handler for
the pinned connection was called, do no try to remove the handler. If
the pinned connection was closed (e.g., by a server-side error), do not
try to close it again. If we already called unpinConnection(), do not
try to close the pinned connection again.
Do not assume we have a request when pinning a connection to the server.
Intercepted connections do not have requests at the connection pinning
stage.
* Server-side changes:
Bug 3243 (CVE 2009-0801: Bypass of browser same-origin access control in
intercepted communication) fix always created a new connection to the
origin server. I think it is safe (and possibly even safer!) to reuse a
pinned connection instead (if one is available). We now do that in the
new FwdState::selectPeerForIntercepted() method. If bump-server-first
does not reuse a pinned connection (left from certificate peeking),
Squid would be opening and closing to-server connections just to learn
the certificate, which is not kosher.
Added a new internal protocol type (PROTO_SSL_PEEK) to allow FwdState to
detect peeking requests and end processing after the certificate is
received (instead of proceeding with to httpStart()).
Alex Rousskov [Sat, 3 Dec 2011 22:45:38 +0000 (15:45 -0700)]
Honor ssl-bump option for https_port.
Initial ssl-bump handling logic mimics that of http_port: If the option is
set, check the slow ssl_bump ACL, and if there is a match, plug into
switchToHttps() code path, generating a dynamic certificate and establishing a
secure connection with the client. If there is no match, Squid becomes a TCP
tunnel for the intercepted connection.
For now, we use the destination IP address of the intercepted connection as
the host name for the certificate (which will trigger browser warnings, of
course).
Amos Jeffries [Tue, 22 Nov 2011 12:00:59 +0000 (01:00 +1300)]
Cleanup: comm Close handlers
Make handlers take the CommCloseCbParams instead of series of expanded
variables.
Opening access to the other CommCommonCbParams fields with Connection/FD
data. Hiding the deprecated FD parameter from most handlers. Which seem
not to have actually needed it in most cases outside Comm.
The StoreEntry::write in the case of an empty write, calls the StoreEntry
handlers. It is possible one of these handlers will change the state of the
store entry or abort it. The next call of the StoreEntry::write will cause
this assertion.
The block of code which calls the StoreSntry handlers in the case of an empty
write, added to allow forward http headers to the client even if no body data
arrived yet (bug 1750). There is not need for this part of code in the latest
squid releases, so it is safe to be removed.
Alex Rousskov [Mon, 21 Nov 2011 16:49:34 +0000 (09:49 -0700)]
Avoid crashes when processing bad X509 common names (CN).
X509_REQ_get_pubkey() returns a refcounted object that we must clean after use.
X509_REQ_get_subject_name() does not; cleaning the result may cause segfaults.
How we are supposed to tell the difference is beyond me.
author: Martin Huter <mhuter@barracuda.com>, Alex Rousskov <rousskov@measurement-factory.com>, Christos Tsantilas <chtsanti@users.sourceforge.net>
Bug 2619: Excessive RAM growth due to unlimited adapted body data consumption
If the client does not read from the open connection (i.e. the user does not
confirm the browsers download-message-box in microsofts IE), squid keeps on
reading data from the ICAP server into the store entry, while no more data
can be delivered to the client.
Thus the store entry in memory is growing and squid may - in worst case -
consume memory up to the size of the users download.
This patch add API to StoreEntry to call the producer back when released
memory/space from the StoreEntry and add code to the ICAP client code to not
consume body data comes from the ICAP server when there is not available space
in the store entry.
Amos Jeffries [Fri, 18 Nov 2011 07:48:25 +0000 (00:48 -0700)]
Log Format token namespace upgrade
This updates the format parser and storage objects in the Format::
namespace and separates some into separate files.
Add a registration API so components can register themselves an array
of tokens in a namespace. Registering the arbitrary namespace "example"
with some tokens ("a","b") will cause the parser to accept those tokens
in a logging format like so: "%example::a %example::b".
Future work:
- use runners registry instead of Init() function
- convert the error pages to use format for the page body macros
- convert the %ssl_* tokens in src/ssl/* to use format and "ssl::"
- convert external_acl_type to use formats for its helper input string.
Mathias Fischer [Thu, 17 Nov 2011 15:31:57 +0000 (08:31 -0700)]
Use the right certificate when detailing SSL certificate validation errors.
When an _intermediate_ SSL server certificate fails validation, we should
report errors using information in that certificate and not in the top-level
"peer" certificate. Otherwise, our details may make no sense. For example, we
may say that the validation failed due to the expired certificate and then show
an expiration date in the future (because the top-level certificate did not
expire but the intermediate certificate did).
OpenSSL X509_STORE_CTX_get_current_cert() returns the certificate that was
being tested when our certificate validation callback was called.
Alex Rousskov [Tue, 15 Nov 2011 18:21:07 +0000 (11:21 -0700)]
Fix Comm::Write closing() assertion when retrying a failed UDP DNS query.
When we receive a UDP DNS response with a truncation (TC) bit set, we retry
using TCP. Since the retry trigger has nothing to do with the TCP connection,
it is possible that the TCP connection is being closed when we are about to
write to it: A call to our connection close callback has been scheduled but
has not fired yet. We must check for and avoid such race conditions.
This patch allows Squid to provide details for the %D macro on the secure
connect failed error page when an SSL handshake with the origin server fails.
The default %D text is "Handshake with SSL server failed: XYZ" where XYZ is the
corresponding error string/description returned by OpenSSL if there is any.
Amos Jeffries [Tue, 8 Nov 2011 10:54:37 +0000 (03:54 -0700)]
Document and alter the pconn idle timeout directives.
Alters the directive names to clarify what they do and adds some more
description to the config file documentation.
Alters the internal config variables to match the new directive names.
Also alters the well known messages in mgr:filedescriptors report a little
to indicate client/server type and adds a standard "Idle " prefix for
easy automated scanning.
Amos Jeffries [Tue, 8 Nov 2011 09:24:08 +0000 (22:24 +1300)]
Document and alter the pconn idle timeout directives.
Alters the directive names to clarify what they do and adds some more
description to the config file documentation.
Alters the internal config variables to match the new directive names.
Also alters the well known messages in mgr:filedescriptors report a little
to indicate client/server type and adds a standard "Idle " prefix for
easy automated scanning.
Andrew Beverley [Sat, 5 Nov 2011 05:21:11 +0000 (18:21 +1300)]
Add a mask on the qos_flows miss configuration value.
The reason for this is to allow the preserved mark/TOS value from the
server to be altered slightly rather than overwritten completely.
Example usage. The following will preserve the netfilter mark, but will
ensure that the (9th) bit specified in the miss value will be set to 1
in the preserved mark:
Alex Rousskov [Wed, 2 Nov 2011 21:18:50 +0000 (15:18 -0600)]
Fixed two more cases of outdated shared memory cache detection
which led to "STORE_DISK_CLIENT == getType()" assertions
when running SMP Squid with non-shared memory caching.
UsingSmp() is not the right condition to detect whether we are using a shared
memory cache because shared memory caching may be disabled and because
Coordinator does not use a shared memory cache even if shared caching is
enabled.
This option allows Squid administrator to add custom ICAP request
headers or eCAP options to Squid ICAP requests or eCAP transactions.
Use it to pass custom authentication tokens and other
transaction-state related meta information to an ICAP/eCAP service.
The addition of a meta header is ACL-driven:
adaptation_meta name value [!]aclname ...
Processing for a given header name stops after the first ACL list match.
Thus, it is impossible to add two headers with the same name. If no ACL
lists match for a given header name, no such header is added. For example:
# do not debug transactions except for those that need debugging
adaptation_meta X-Debug 1 needs_debugging
# log all transactions except for those that must remain secret
adaptation_meta X-Log 1 !keep_secret
# mark transactions from users in the "G 1" group
adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
The "value" parameter may be a regular squid.conf token or a "double
quoted string". Within the quoted string, use backslash (\) to escape
any character, which is currently only useful for escaping backslashes
and double quotes. For example,
"this string has one backslash (\\) and two \"quotes\""
Dmitry Kurochkin [Fri, 28 Oct 2011 01:11:23 +0000 (19:11 -0600)]
Portability fixes for Atomic::WordT API.
Change parameter types for swap_if() and operator==() from int to
Value. This fixes some GCC warnings in "fake" implementation when
the AtomicWordT template parameter is unsigned.
Polished (waitingToBeFreed == true) test. waitingToBeFreed is
Atomic::WordT<uint8_t> and GCC does not know whether to cast AtomicWord or
boolean when comparing the two.
Dmitry Kurochkin [Fri, 28 Oct 2011 01:01:41 +0000 (19:01 -0600)]
Provide "fake" AtomicWordT implementation for non-SMP configurations.
While we can not provide real AtomicWordT implementation on the systems where
atomic operations are not available, we can use a "fake" one if Squid is
running in non-SMP mode. Before the change, the "fake" implementation was
always asserting, which is too restrictive and leads to test failures on
systems without atomic operations.
The new implementation works under conditions similar to "fake" shared memory
segments and allows SMP-using code (e.g. Rock store) to work in non-SMP mode.
In particular, it allows tests to pass on such systems.
AtomicWordT was renamed to WordT and moved to Ipc::Atomic namespace to allow
Ipc::Atomic::Enabled() to be declared outside of the AtomicWordT template
class. This lets us define the Enabled() method in AtomicWord.cc which avoids
dragging protos.h #include into the AtomicWord.h header.
Dmitry Kurochkin [Thu, 27 Oct 2011 23:14:28 +0000 (17:14 -0600)]
Bug 3150: do not start useless unlinkd.
Unlinkd may be used only by UFS storage but, before the change, Squid
always started unlinkd if it was built, even if it was not needed.
Whether a SwapDir may use unlinkd depends on the SwapDir
implementation and DiskIO strategy it uses. The patch adds
unlinkdUseful() method to SwapDir and DiskIOStrategy to decide if
unlinkd should be started.
After the change, unlinkd may be started during reconfiguration and
unlinkdInit() may be called multiple times.
After the change, unlinkdClose() may be called when unlinkd was never
started. The patch removes a warning which was printed in this case
on Windows.
Dmitry Kurochkin [Thu, 27 Oct 2011 22:51:19 +0000 (16:51 -0600)]
Optimization: Make read requests in [Rock] IpcIo bypass max-swap-rate limit.
Before the change, IpcIoFile::WaitBeforePop() delayed both swap ins
(hits) and swap outs (misses). This is suboptimal because reads do
not usually accumulate unfinished I/O requests in OS buffers and,
hence, do not eventually require the OS to block all I/O.
Ideally, a disker should probably dequeue all pending disker requests,
satisfy reads ASAP, and then handle writes, but that is difficult for
several reasons. The patch implements a simpler approach: peek the
next request to be popped, and if it is a swap in (i.e., read or hit),
then pop it without any delay.
When a read is popped, we still adjust the balance member and LastIo,
because we do want to maintain the configured average I/O rate. When a
write request comes in, it will be delayed [longer] if needed.
In the extreme case of a very long stream of read requests (no writes
at all), there will be essentially no I/O rate limit and that is what
we want.
Dmitry Kurochkin [Thu, 27 Oct 2011 22:44:20 +0000 (16:44 -0600)]
Do not allow max-swap-rate and swap-timeout reconfiguration for Rock Store.
These options are used to configure DiskIO module during Rock SwapDir
initialization. During reconfiguration, the values are updated in Rock
SwapDir, but they do not reach the DiskIO module. Thus, while Squid says that
option has a new value, the new value is never really used. This patch fixes
this inconsistency.
In the future, we may support reconfiguration for max-swap-rate and
swap-timeout, but that would require adding reconfiguration support
to DiskIO modules.
Dmitry Kurochkin [Thu, 27 Oct 2011 21:57:26 +0000 (15:57 -0600)]
Independent shared I/O page limit.
Shared memory pages are used for shared memory cache and IPC I/O module.
Before this change, the number of shared memory pages needed for IPC I/O
was calculated from the size of shared memory cache. Moreover, shared
memory cache was required for IPC I/O.
The patch makes the limit for shared I/O pages independent from the
shared memory cache size and presence. IPC I/O pages limit is calculated
from the number of workers and diskers; it does not depend on cache_dir
configuration. This may change in the future if we learn how to compute
it (e.g., by multiplying max-swap-rate and swap-timeout if both are
available).
UsingSmp() is not the right condition to detect whether we are using a shared
cache because shared memory caching may be disabled and because Coordinator
does not use a shared memory cache even if shared caching is enabled.
The assertion was triggered by icons being added to Coordinator local memory
cache. TODO: Coordinator does not need to cache [icons] at all.
SslBump code assumed that it is signing generated certificates with a root CA
certificate. Root certificates are usually not sent along with the server
certificates because clients must have them independently installed or
built-in. Squid was not sending the signing certificate.
In many environments, Squid signing certificate is intermediate (i.e., it
belongs to a non-root CA). If Squid does not send that intermediate signing
certificate with the generated one, the client will not be able to establish a
complete chain of trust from the generated fake to the root CA certificate,
leading to errors.
With this change, Squid may send the signing certificate (along with the
generated one) using the following rules:
* If the configured signing certificate is self-signed,
then just send the generated certificate alone.
Note that root CA certificates are self-signed (by root CA).
* Otherwise (i.e., if the configured signing certificate is an intermediate
CA certificate), send both the intermediate CA and the generated fake
certificate.
* If Squid sends the intermediate CA certificate, Squid also sends
all other certificates from the "cert=" file, Sending a chain with
multiple intermediate CA certificates may be required when the Squid
signing certificate was signed by another intermediate CA.
Bug fix: The multi-language support is broken for Ssl error details
Current Ssl::ErrorDetail::useRequest never sets the ErrorDetail::request
member.The ErrorDetail::request member used to select the correct language
for the web client from Accept-Language header.
Alex Rousskov [Thu, 27 Oct 2011 01:00:39 +0000 (19:00 -0600)]
Bug 3383: unhandled exception: theGroupBSize > 0
Do not create shared queue for IpcIoFile if there are no diskers. The queue
code requires at least one queue reader and writer, and SMP does not imply the
existence of diskers.
projects / thirdparty / squid.git / log
