From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Tue, 19 Jun 2012 16:08:52 +0000 (-0600)
Subject: Merged from trunk (r12181, v3.2.0.17+)
X-Git-Tag: BumpSslServerFirst.take09~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37276dbb34a2a5bedddf25af3f093228ff43742d;p=thirdparty%2Fsquid.git

Merged from trunk (r12181, v3.2.0.17+)
---

37276dbb34a2a5bedddf25af3f093228ff43742d
diff --cc src/cache_cf.cc
index 92b5c10f6b,6a65f60ebd..893bd6b52d
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@@ -3805,24 -3803,9 +3806,24 @@@ parsePortCfg(AnyP::PortCfg ** head, con
          parse_port_option(s, token);
      }
  
 +#if USE_SSL
 +    if (strcasecmp(protocol, "https") == 0) {
 +        /* ssl-bump on https_port configuration requires either tproxy or intercepted, and vice versa */
 +        const bool hijacked = s->spoof_client_ip || s->intercepted;
 +        if (s->sslBump && !hijacked) {
 +            debugs(3, DBG_CRITICAL, "FATAL: ssl-bump on https_port requires tproxy/intercepted which is missing.");
 +            self_destruct();
 +        }
 +        if (hijacked && !s->sslBump) {
 +            debugs(3, DBG_CRITICAL, "FATAL: tproxy/intercepted on https_port requires ssl-bump which is missing.");
 +            self_destruct();
 +        }
 +    }
 +#endif
 +
      if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && s->s.IsAnyAddr()) {
          // clone the port options from *s to *(s->next)
-         s->next = s->clone();
+         s->next = cbdataReference(s->clone());
          s->next->s.SetIPv4();
          debugs(3, 3, protocol << "_port: clone wildcard address for split-stack: " << s->s << " and " << s->next->s);
      }
diff --cc src/forward.cc
index 2cabf4c71a,d55cce5cd1..cac6531a7f
--- a/src/forward.cc
+++ b/src/forward.cc
@@@ -834,19 -758,13 +834,21 @@@ FwdState::connectDone(const Comm::Conne
      if (serverConnection()->getPeer())
          peerConnectSucceded(serverConnection()->getPeer());
  
 +    if (request->flags.canRePin && request->clientConnectionManager.valid()) {
 +        debugs(17, 3, HERE << "repinning " << serverConn);
 +        request->clientConnectionManager->pinConnection(serverConn,
 +            request, serverConn->getPeer(), request->flags.auth);
 +        request->flags.pinned = 1;
 +    }
 +
  #if USE_SSL
-     if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) ||
-             (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS) ||
-             (request->flags.sslPeek)) {
-         initiateSSL();
-         return;
+     if (!request->flags.pinned) {
+         if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) ||
 -                (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS)) {
++                (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS) ||
++                request->flags.sslPeek) {
+             initiateSSL();
+             return;
+         }
      }
  #endif