From: rousskov <> Date: Tue, 12 Feb 2008 05:26:39 +0000 (+0000) Subject: Importing SslBump feature from Squid3 ssl-bump branch: X-Git-Tag: BASIC_TPROXY4~125 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d5a6db859fc8027514b606827147306c75eacbf;p=thirdparty%2Fsquid.git Importing SslBump feature from Squid3 ssl-bump branch: Added ERR_SECURE_CONNECT_FAIL that is returned when we cannot secure the established connection with the server. Formerly, ERR_CONNECT_FAIL was returned. Supply the SSL error check ACL when forwarding SSL connections. The check list is stored as SSL ex_data and is destroyed by OpenSSL when the SSL struct is destroyed. --- diff --git a/src/enums.h b/src/enums.h index 5aea411e67..43d79b7d39 100644 --- a/src/enums.h +++ b/src/enums.h @@ -1,6 +1,6 @@ /* - * $Id: enums.h,v 1.260 2007/12/14 20:07:15 hno Exp $ + * $Id: enums.h,v 1.261 2008/02/11 22:26:39 rousskov Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -69,6 +69,7 @@ typedef enum { ERR_WRITE_ERROR, ERR_SHUTTING_DOWN, ERR_CONNECT_FAIL, + ERR_SECURE_CONNECT_FAIL, ERR_INVALID_REQ, ERR_UNSUP_REQ, ERR_INVALID_URL, diff --git a/src/forward.cc b/src/forward.cc index c646951e09..48e060311b 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -1,6 +1,6 @@ /* - * $Id: forward.cc,v 1.174 2008/02/07 18:22:23 rousskov Exp $ + * $Id: forward.cc,v 1.175 2008/02/11 22:26:39 rousskov Exp $ * * DEBUG: section 17 Request Forwarding * AUTHOR: Duane Wessels @@ -582,7 +582,7 @@ FwdState::negotiateSSL(int fd) debugs(81, 1, "fwdNegotiateSSL: Error negotiating SSL connection on FD " << fd << ": " << ERR_error_string(ERR_get_error(), NULL) << " (" << ssl_error << "/" << ret << "/" << errno << ")"); - ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request); + ErrorState *anErr = errorCon(ERR_SECURE_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request); #ifdef EPROTO anErr->xerrno = EPROTO; @@ -663,6 +663,14 @@ FwdState::initiateSSL() SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request->GetHost()); } + // Create the ACL check list now, while we have access to more info. + // The list is used in ssl_verify_cb() and is freed in ssl_free(). + if (acl_access *acl = Config.ssl_client.cert_error) { + ACLChecklist *check = aclChecklistCreate(acl, request, dash_str); + check->fd(fd); + SSL_set_ex_data(ssl, ssl_ex_index_cert_error_check, check); + } + fd_table[fd].ssl = ssl; fd_table[fd].read_method = &ssl_read_method; fd_table[fd].write_method = &ssl_write_method;