src/patches/squid/squid-3.5-14165.patch

   1 ------------------------------------------------------------
   2 revno: 14165
   3 revision-id: squid3@treenet.co.nz-20170529071037-o91o8xvaqata5y2b
   4 parent: squid3@treenet.co.nz-20170529063645-qmu68scq9go0wbqr
   5 fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
   6 author: Christos Tsantilas <chtsanti@users.sourceforge.net>
   7 committer: Amos Jeffries <squid3@treenet.co.nz>
   8 branch nick: 3.5
   9 timestamp: Mon 2017-05-29 19:10:37 +1200
  10 message:
  11   Bug 4682: ignoring http_access deny when client-first bumping mode is used
  12
  13   Squid fails to identify HTTP requests which are tunneled inside an already
  14   established client-first bumped tunnel, and this is results in ignoring
  15   http_access denied for these requests.
  16
  17   This is a Measurement Factory project
  18 ------------------------------------------------------------
  19 # Bazaar merge directive format 2 (Bazaar 0.90)
  20 # revision_id: squid3@treenet.co.nz-20170529071037-o91o8xvaqata5y2b
  21 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
  22 # testament_sha1: f77b81826612d7248fb774ef1ea00747cd04d479
  23 # timestamp: 2017-05-29 07:51:03 +0000
  24 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
  25 # base_revision_id: squid3@treenet.co.nz-20170529063645-\
  26 #   qmu68scq9go0wbqr
  27 #
  28 # Begin patch
  29 === modified file 'src/client_side_request.cc'
  30 --- src/client_side_request.cc  2017-03-30 13:31:22 +0000
  31 +++ src/client_side_request.cc  2017-05-29 07:10:37 +0000
  32 @@ -1424,7 +1424,17 @@
  33      if (bumpMode != Ssl::bumpEnd) {
  34          debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
  35                 "), " << "ignoring ssl_bump for " << http->getConn());
  36 -        if (!http->getConn()->serverBump())
  37 +
  38 +        // We need the following "if" for transparently bumped TLS connection,
  39 +        // because in this case we are running ssl_bump access list before
  40 +        // the doCallouts runs. It can be removed after the bug #4340 fixed.
  41 +        // We do not want to proceed to bumping steps:
  42 +        //  - if the TLS connection with the client is already established
  43 +        //    because we are accepting normal HTTP requests on TLS port,
  44 +        //    or because of the client-first bumping mode
  45 +        //  - When the bumping is already started
  46 +        if (!http->getConn()->switchedToHttps() &&
  47 +                !http->getConn()->serverBump())
  48              http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped
  49          http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
  50          return false;
  51