}
}
atTlsPeek = false;
- Must(sslServerBump);
- Must(sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare);
- startPeekAndSplice();
+ afterClientHelloPeeked();
return;
}
#endif
this, ConnStateData::requestTimeout);
commSetConnTimeout(clientConnection, Config.Timeout.request, timeoutCall);
- // Disable the client read handler until CachePeer selection is complete
- Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, NULL, NULL, 0);
- Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, clientNegotiateSSL, this, 0);
switchedToHttps_ = true;
+
+ auto ssl = fd_table[clientConnection->fd].ssl.get();
+ BIO *b = SSL_get_rbio(ssl);
+ Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
+ bio->setReadBufData(inBuf);
+ inBuf.clear();
+ clientNegotiateSSL(clientConnection->fd, this);
}
void
if (bumpServerMode == Ssl::bumpServerFirst && !sslServerBump) {
request->flags.sslPeek = true;
sslServerBump = new Ssl::ServerBump(request);
-
- // will call httpsPeeked() with certificate and connection, eventually
- FwdState::fwdStart(clientConnection, sslServerBump->entry, sslServerBump->request.getRaw());
- return;
} else if (bumpServerMode == Ssl::bumpPeek || bumpServerMode == Ssl::bumpStare) {
request->flags.sslPeek = true;
sslServerBump = new Ssl::ServerBump(request, NULL, bumpServerMode);
+ }
- // commSetConnTimeout() was called for this request before we switched.
- // Fix timeout to request_start_timeout
- typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
- AsyncCall::Pointer timeoutCall = JobCallback(33, 5,
- TimeoutDialer, this, ConnStateData::requestTimeout);
- commSetConnTimeout(clientConnection, Config.Timeout.request_start_timeout, timeoutCall);
- // Also reset receivedFirstByte_ flag to allow this timeout work in the case we have
- // a bumbed "connect" request on non transparent port.
- receivedFirstByte_ = false;
- // Get more data to peek at Tls
- atTlsPeek = true;
- readSomeData();
+ // commSetConnTimeout() was called for this request before we switched.
+ // Fix timeout to request_start_timeout
+ typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
+ AsyncCall::Pointer timeoutCall = JobCallback(33, 5,
+ TimeoutDialer, this, ConnStateData::requestTimeout);
+ commSetConnTimeout(clientConnection, Config.Timeout.request_start_timeout, timeoutCall);
+ // Also reset receivedFirstByte_ flag to allow this timeout work in the case we have
+ // a bumbed "connect" request on non transparent port.
+ receivedFirstByte_ = false;
+ // Get more data to peek at Tls
+ atTlsPeek = true;
+ readSomeData();
+}
+
+void
+ConnStateData::afterClientHelloPeeked()
+{
+ receivedFirstByte();
+
+ // Avoid the check for tlsParser error, in the case of bug in our tls parser.
+ // The bumpServerFirst and bumpClientFirst should not depend on tlsParser
+ // result. For the peek-and-splice mode, the tlsParser.parseError checked and
+ // handled inside startPeekAndsSplice method.
+
+ // Record parsed info
+ if (!tlsParser.parseError)
+ clientConnection->tlsNegotiations()->retrieveParsedInfo(tlsParser.details);
+
+ // We should disable read/write handlers
+ Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, NULL, NULL, 0);
+ Comm::SetSelect(clientConnection->fd, COMM_SELECT_WRITE, NULL, NULL, 0);
+
+ if (!sslServerBump) { // BumpClientFirst mode does not use this member
+ getSslContextStart();
return;
+ } else if (sslServerBump->act.step1 == Ssl::bumpServerFirst) {
+ // will call httpsPeeked() with certificate and connection, eventually
+ FwdState::fwdStart(clientConnection, sslServerBump->entry, sslServerBump->request.getRaw());
+ } else {
+ Must(sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare);
+ startPeekAndSplice();
}
-
- // otherwise, use sslConnectHostOrIp
- getSslContextStart();
}
bool
clientConnection->close();
return;
}
- receivedFirstByte();
-
- // Record parsed info
- clientConnection->tlsNegotiations()->retrieveParsedInfo(tlsParser.details);
if (serverBump()) {
Security::TlsDetails::Pointer const &details = tlsParser.details;
}
}
- // We should disable read/write handlers
- Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, NULL, NULL, 0);
- Comm::SetSelect(clientConnection->fd, COMM_SELECT_WRITE, NULL, NULL, 0);
-
startPeekAndSpliceDone();
}
#include "errorpage.h"
#include "fde.h"
#include "HttpRequest.h"
+#include "security/NegotiationHistory.h"
#include "SquidConfig.h"
#include "ssl/bio.h"
#include "ssl/cert_validate_message.h"
commSetConnTimeout(serverConnection(), timeToRead, nil);
}
+void
+Ssl::PeerConnector::recordNegotiationDetails()
+{
+ const int fd = serverConnection()->fd;
+ Security::SessionPtr ssl = fd_table[fd].ssl.get();
+
+ // retrieve TLS server negotiated information if any
+ serverConnection()->tlsNegotiations()->retrieveNegotiatedInfo(ssl);
+ // retrieve TLS parsed extra info
+ BIO *b = SSL_get_rbio(ssl);
+ Ssl::ServerBio *bio = static_cast<Ssl::ServerBio *>(b->ptr);
+ if (const Security::TlsDetails::Pointer &details = bio->receivedHelloDetails())
+ serverConnection()->tlsNegotiations()->retrieveParsedInfo(details);
+}
+
void
Ssl::PeerConnector::negotiateSsl()
{
return; // we might be gone by now
}
+ recordNegotiationDetails();
+
if (!sslFinalized())
return;
// no special error handling for all other errors
break;
}
+
+ // Log connections details if there is any
+ recordNegotiationDetails();
noteSslNegotiationError(ret, ssl_error, ssl_lib_error);
}
projects / thirdparty / squid.git / commitdiff
