From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Tue, 10 Apr 2012 16:02:41 +0000 (+0300)
Subject: sslproxy_cert_sign/sslproxy_cert_adapt: Document the SQUID_X509_V_ERR_DOMAIN_MISMATCH bug
X-Git-Tag: BumpSslServerFirst.take08~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b0d23b7cc273076392251ee5ab2a72da7beacfe;p=thirdparty%2Fsquid.git

sslproxy_cert_sign/sslproxy_cert_adapt: Document the SQUID_X509_V_ERR_DOMAIN_MISMATCH bug

Replace the documentation for the SQUID_X509_V_ERR_DOMAIN_MISMATCH related bug
with a "WARNING" which describes the problem.
---

diff --git a/src/cf.data.pre b/src/cf.data.pre
index daa0c3de9a..24a1c01298 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2167,8 +2167,12 @@ DOC_START
 	When the acl(s) match, the corresponding signing algorithm is used to
 	generate the certificate. Otherwise, the default signing algorithm used
 
-	BUG: The SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch ssl
-	errors can not be used with ssl_error acl type.
+	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+	CONNECT request that carries a domain name. In all other cases (CONNECT
+	to an IP address or an intercepted SSL connection), Squid cannot detect
+	the domain mismatch at certificate generation time when
+	bump-server-first is used.
 DOC_END
 
 NAME: sslproxy_cert_adapt 
@@ -2201,8 +2205,12 @@ DOC_START
 	applied to the fake/generated certificate. Otherwise, the
 	default mimicking action takes place.
 
-	BUG: The SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch ssl
-	errors can not be used with ssl_error acl type
+	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+	CONNECT request that carries a domain name. In all other cases (CONNECT
+	to an IP address or an intercepted SSL connection), Squid cannot detect
+	the domain mismatch at certificate generation time when
+	bump-server-first is used.
 DOC_END
 
 NAME: sslpassword_program