src/patches/squid/squid-3.5-14142.patch

   1 ------------------------------------------------------------
   2 revno: 14142
   3 revision-id: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq
   4 parent: squid3@treenet.co.nz-20170128035415-bpwt79jsobv1rqx3
   5 author: Christos Tsantilas <chtsanti@users.sourceforge.net>
   6 committer: Amos Jeffries <squid3@treenet.co.nz>
   7 branch nick: 3.5
   8 timestamp: Wed 2017-02-08 18:40:33 +1300
   9 message:
  10   Bump SSL client on [more] errors encountered before ssl_bump evaluation
  11
  12   ... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
  13   http_access deny rule match.
  14
  15   The old code allowed ssl_bump step1 rules to be evaluated in the
  16   presence of an error. An ssl_bump splicing decision would then trigger
  17   the useless "send the error to the client now" processing logic instead
  18   of going down the "to serve an error, bump the client first" path.
  19
  20   Furthermore, the ssl_bump evaluation result itself could be surprising
  21   to the admin because ssl_bump (and most other) rules are not meant to be
  22   evaluated for a transaction in an error state. This complicated triage.
  23
  24   Also polished an important comment to clarify that we want to bump on
  25   error if (and only if) the SslBump feature is applicable to the failed
  26   transaction (i.e., if the ssl_bump rules would have been evaluated if
  27   there were no prior errors). The old comment could have been
  28   misinterpreted that ssl_bump rules must be evaluated to allow an
  29   "ssl_bump splice" match to hide the error.
  30
  31   This is a Measurement Factory project.
  32 ------------------------------------------------------------
  33 # Bazaar merge directive format 2 (Bazaar 0.90)
  34 # revision_id: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq
  35 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
  36 # testament_sha1: 8c3f2a03f86aa1b1484195a63742bc4002ba2359
  37 # timestamp: 2017-02-08 05:51:15 +0000
  38 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
  39 # base_revision_id: squid3@treenet.co.nz-20170128035415-\
  40 #   bpwt79jsobv1rqx3
  41 #
  42 # Begin patch
  43 === modified file 'src/client_side_request.cc'
  44 --- src/client_side_request.cc  2017-01-23 02:05:46 +0000
  45 +++ src/client_side_request.cc  2017-02-08 05:40:33 +0000
  46 @@ -1442,6 +1442,13 @@
  47          return false;
  48      }
  49
  50 +    if (error) {
  51 +        debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
  52 +        http->sslBumpNeed(Ssl::bumpBump);
  53 +        http->al->ssl.bumpMode = Ssl::bumpBump;
  54 +        return false;
  55 +    }
  56 +
  57      // Do not bump during authentication: clients would not proxy-authenticate
  58      // if we delay a 407 response and respond with 200 OK to CONNECT.
  59      if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
  60 @@ -1781,8 +1788,9 @@
  61      }
  62
  63  #if USE_OPENSSL
  64 -    // We need to check for SslBump even if the calloutContext->error is set
  65 -    // because bumping may require delaying the error until after CONNECT.
  66 +    // Even with calloutContext->error, we call sslBumpAccessCheck() to decide
  67 +    // whether SslBump applies to this transaction. If it applies, we will
  68 +    // attempt to bump the client to serve the error.
  69      if (!calloutContext->sslBumpCheckDone) {
  70          calloutContext->sslBumpCheckDone = true;
  71          if (calloutContext->sslBumpAccessCheck())
  72