Never enable OPENSSL_HELLO_OVERWRITE_HACK automatically.
OPENSSL_HELLO_OVERWRITE_HACK, a.k.a adjustSSL(), a.k.a. "splice after
stare and bump after peek" hack requires updating internal/private
OpenSSL structures. The hack also relies on SSL client making SSL
negotiation decisions that are similar to our OpenSSL version decisions.
Squid used to enable this hack if it could compile the sources, but:
* The hack works well in fewer and fewer cases.
* Making its behavior reliable is virtually impossible.
* Maintaining this hack is increasingly difficult, especially after
OpenSSL has changed its internal structures in v1.1.
* The combination of other bugs (fixed in r14670) and TLS extensions in
popular browsers effectively disabled this hack for a while, and
nobody (that we know of) noticed.
This temporary change disables the hack even if it can be compiled. If
an admin is willing to take the risks, they may enable it manually by
setting SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK macro value to 1 during
the build.
If, after this experimental change, we get no complaints (that we can
address), the hack will be completely removed from Squid sources.
projects / thirdparty / squid.git / commit
