From 21512911a30a19827004c2907a1b0dee66f9e642 Mon Sep 17 00:00:00 2001 From: Christos Tsantilas Date: Thu, 15 Dec 2011 13:56:37 +0200 Subject: [PATCH] Bug 2519: ssl_bump + Authentication (LDAP Digest) issues When the ssl_bump and authentication iare both enabled for an ssl-bumped port all SSL enabled websites prompt the user for authentication information once per FQDN. Tis patch inherits the authentication info from the CONNECT request to the sslbumped requests. --- src/acl/FilledChecklist.cc | 5 +++-- src/auth/Acl.cc | 7 +++++++ src/client_side.cc | 6 ++++++ src/client_side_request.cc | 10 +++++++++- 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc index e061e8c638..4c0fdb5379 100644 --- a/src/acl/FilledChecklist.cc +++ b/src/acl/FilledChecklist.cc @@ -24,8 +24,9 @@ ACLFilledChecklist::checkCallback(allow_t answer) if (auth_user_request != NULL) { /* the filled_checklist lock */ auth_user_request = NULL; - /* it might have been connection based */ - if (conn()) { + // It might have been connection based + // In the case of sslBump we need to preserve authentication info + if (conn() && !conn()->switchedToHttps()) { conn()->auth_user_request = NULL; } } diff --git a/src/auth/Acl.cc b/src/auth/Acl.cc index 6ad4e16697..75da665aa8 100644 --- a/src/auth/Acl.cc +++ b/src/auth/Acl.cc @@ -23,6 +23,13 @@ AuthenticateAcl(ACLChecklist *ch) if (NULL == request) { fatal ("requiresRequest SHOULD have been true for this ACL!!"); return ACCESS_DENIED; + } else if (request->flags.sslBumped) { + debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate"); + checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->auth_user_request : request->auth_user_request; + if (checklist->auth_user_request != NULL) + return ACCESS_ALLOWED; + else + return ACCESS_DENIED; } else if (request->flags.accelerated) { /* WWW authorization on accelerated requests */ headertype = HDR_AUTHORIZATION; diff --git a/src/client_side.cc b/src/client_side.cc index 4b3b6f5f79..8d90adfc57 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2547,6 +2547,12 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c request->flags.sslBumped = conn->switchedToHttps(); request->flags.ignore_cc = conn->port->ignore_cc; request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0; +#if USE_AUTH + if (request->flags.sslBumped) { + if (conn->auth_user_request != NULL) + request->auth_user_request = conn->auth_user_request; + } +#endif /** \par * If transparent or interception mode is working clone the transparent and interception flags diff --git a/src/client_side_request.cc b/src/client_side_request.cc index d4bbe39ce3..9b4f98b375 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -767,7 +767,10 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer) if (auth_challenge) { #if USE_AUTH - if (!http->flags.accel) { + if (http->request->flags.sslBumped) { + /*SSL Bumped request, authentication is not possible*/ + status = HTTP_FORBIDDEN; + } else if (!http->flags.accel) { /* Proxy authorisation needed */ status = HTTP_PROXY_AUTHENTICATION_REQUIRED; } else { @@ -1372,6 +1375,11 @@ ClientHttpRequest::sslBumpEstablish(comm_err_t errflag) return; } +#if USE_AUTH + // Preserve authentication info for the ssl-bumped request + if (request->auth_user_request != NULL) + getConn()->auth_user_request = request->auth_user_request; +#endif getConn()->switchToHttps(request->GetHost()); } -- 2.47.2