]>
Commit | Line | Data |
---|---|---|
e01b933c MF |
1 | ------------------------------------------------------------ |
2 | revno: 14142 | |
3 | revision-id: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq | |
4 | parent: squid3@treenet.co.nz-20170128035415-bpwt79jsobv1rqx3 | |
5 | author: Christos Tsantilas <chtsanti@users.sourceforge.net> | |
6 | committer: Amos Jeffries <squid3@treenet.co.nz> | |
7 | branch nick: 3.5 | |
8 | timestamp: Wed 2017-02-08 18:40:33 +1300 | |
9 | message: | |
10 | Bump SSL client on [more] errors encountered before ssl_bump evaluation | |
11 | ||
12 | ... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an | |
13 | http_access deny rule match. | |
14 | ||
15 | The old code allowed ssl_bump step1 rules to be evaluated in the | |
16 | presence of an error. An ssl_bump splicing decision would then trigger | |
17 | the useless "send the error to the client now" processing logic instead | |
18 | of going down the "to serve an error, bump the client first" path. | |
19 | ||
20 | Furthermore, the ssl_bump evaluation result itself could be surprising | |
21 | to the admin because ssl_bump (and most other) rules are not meant to be | |
22 | evaluated for a transaction in an error state. This complicated triage. | |
23 | ||
24 | Also polished an important comment to clarify that we want to bump on | |
25 | error if (and only if) the SslBump feature is applicable to the failed | |
26 | transaction (i.e., if the ssl_bump rules would have been evaluated if | |
27 | there were no prior errors). The old comment could have been | |
28 | misinterpreted that ssl_bump rules must be evaluated to allow an | |
29 | "ssl_bump splice" match to hide the error. | |
30 | ||
31 | This is a Measurement Factory project. | |
32 | ------------------------------------------------------------ | |
33 | # Bazaar merge directive format 2 (Bazaar 0.90) | |
34 | # revision_id: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq | |
35 | # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 | |
36 | # testament_sha1: 8c3f2a03f86aa1b1484195a63742bc4002ba2359 | |
37 | # timestamp: 2017-02-08 05:51:15 +0000 | |
38 | # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 | |
39 | # base_revision_id: squid3@treenet.co.nz-20170128035415-\ | |
40 | # bpwt79jsobv1rqx3 | |
41 | # | |
42 | # Begin patch | |
43 | === modified file 'src/client_side_request.cc' | |
44 | --- src/client_side_request.cc 2017-01-23 02:05:46 +0000 | |
45 | +++ src/client_side_request.cc 2017-02-08 05:40:33 +0000 | |
46 | @@ -1442,6 +1442,13 @@ | |
47 | return false; | |
48 | } | |
49 | ||
50 | + if (error) { | |
51 | + debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]); | |
52 | + http->sslBumpNeed(Ssl::bumpBump); | |
53 | + http->al->ssl.bumpMode = Ssl::bumpBump; | |
54 | + return false; | |
55 | + } | |
56 | + | |
57 | // Do not bump during authentication: clients would not proxy-authenticate | |
58 | // if we delay a 407 response and respond with 200 OK to CONNECT. | |
59 | if (error && error->httpStatus == Http::scProxyAuthenticationRequired) { | |
60 | @@ -1781,8 +1788,9 @@ | |
61 | } | |
62 | ||
63 | #if USE_OPENSSL | |
64 | - // We need to check for SslBump even if the calloutContext->error is set | |
65 | - // because bumping may require delaying the error until after CONNECT. | |
66 | + // Even with calloutContext->error, we call sslBumpAccessCheck() to decide | |
67 | + // whether SslBump applies to this transaction. If it applies, we will | |
68 | + // attempt to bump the client to serve the error. | |
69 | if (!calloutContext->sslBumpCheckDone) { | |
70 | calloutContext->sslBumpCheckDone = true; | |
71 | if (calloutContext->sslBumpAccessCheck()) | |
72 |