From 889fc478c33e9202115f090c4143e72c0427761e Mon Sep 17 00:00:00 2001 From: Christos Tsantilas Date: Sun, 23 Mar 2014 12:28:52 +0200 Subject: [PATCH] Basic auth cache and SslBump fix This patch fixes the following bug: 1) A user sends a CONNECT request with valid credentials 2) Squid checks the credentials and adds the user to the user cache 3) The same user sends a CONNECT request with invalid credentials 4) Squid overwrites the entry in the user cache and denies the second CONNECT request 5) The user sends a GET request on the first SSL connection which is established by now 6) Squid knows that it does not need to check the credentials on the bumped connection but still somehow checks again whether the user is successfully authenticated 7) Due to the second CONNECT request the user is regarded as not successfully authenticated 8) Squid denies the GET request of the first SSL connection with 403 ERR_CACHE_ACCESS_DENIED On proxies with Basic authentication and SSL bumping, this can be used to prevent a legitimate user from making any HTTPS requests This is a Measurement Factory project --- src/auth/AclProxyAuth.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/auth/AclProxyAuth.cc b/src/auth/AclProxyAuth.cc index 8be5df9ce9..0835f12070 100644 --- a/src/auth/AclProxyAuth.cc +++ b/src/auth/AclProxyAuth.cc @@ -189,6 +189,8 @@ int ACLProxyAuth::matchProxyAuth(ACLChecklist *cl) { ACLFilledChecklist *checklist = Filled(cl); + if (checklist->request->flags.sslBumped) + return 1; // AuthenticateAcl() already handled this bumped request if (!authenticateUserAuthenticated(Filled(checklist)->auth_user_request)) { return 0; } -- 2.39.5