From: Christos Tsantilas Date: Thu, 14 Jun 2012 21:48:10 +0000 (+0300) Subject: Non-bumping broken for intercept X-Git-Tag: BumpSslServerFirst.take09~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6df4ecaeef5494b2e325c3ecc7483ac98f158bbc;p=thirdparty%2Fsquid.git Non-bumping broken for intercept When an intercepted SSL connection matches "ssl_bump none" in squid.conf, Squid correctly refuses to bump it and establishes a TCP tunnel using a fake CONNECT request. Unfortunately, the HTTP client terminates with an "unknown protocol" SSL error. Also the client_dst_passthru does not work as expected for intercepted requests --- diff --git a/src/client_side.cc b/src/client_side.cc index 6fe7702e5e..22ddb7b9af 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3563,6 +3563,7 @@ httpsEstablish(ConnStateData *connState, SSL_CTX *sslContext, Ssl::BumpMode bum #endif fakeRequest->my_addr = connState->clientConnection->local; fakeRequest->flags.spoof_client_ip = ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ; + fakeRequest->flags.intercepted = ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0); debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX"); connState->switchToHttps(fakeRequest, bumpMode); } diff --git a/src/tunnel.cc b/src/tunnel.cc index 26e6072bcd..28a5101791 100644 --- a/src/tunnel.cc +++ b/src/tunnel.cc @@ -523,7 +523,7 @@ tunnelConnected(const Comm::ConnectionPointer &server, void *data) TunnelStateData *tunnelState = (TunnelStateData *)data; debugs(26, 3, HERE << server << ", tunnelState=" << tunnelState); - if (tunnelState->request && tunnelState->request->flags.spoof_client_ip) + if (tunnelState->request && (tunnelState->request->flags.spoof_client_ip || tunnelState->request->flags.intercepted)) tunnelStartShoveling(tunnelState); // ssl-bumped connection, be quiet else { AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone",