From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Mon, 6 Jul 2020 08:04:31 +0000 (+0000)
Subject: Honor on_unsupported_protocol for intercepted https_port (#689)
X-Git-Tag: SQUID_4_13~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a4c1596dd5b05937dca44a8e7aa8dcd289bf3905;p=thirdparty%2Fsquid.git

Honor on_unsupported_protocol for intercepted https_port (#689)

... when Squid discovers a non-TLS client while parsing its handshake.

For https_port traffic, ConnStateData::switchToHttps() relies on start()
to set preservingClientData_ correctly, but shouldPreserveClientData(),
called by start() to set preservingClientData_, was not preserving TLS
bytes in the https_port start() context. Typical debug messages:

    parseTlsHandshake: Got something other than TLS ... Cannot SslBump
    tunnelOnError: may have forgotten client data; send error: 40
---

diff --git a/src/client_side.cc b/src/client_side.cc
index 65c1061d23..f7038ba983 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -4211,8 +4211,8 @@ ConnStateData::shouldPreserveClientData() const
         return true;
 #endif
 
-    // the 1st HTTP request on a connection to a plain intercepting port
-    if (!pipeline.nrequests && !port->secure.encryptTransport && transparent())
+    // the 1st HTTP(S) request on a connection to an intercepting port
+    if (!pipeline.nrequests && transparent())
         return true;
 
     return false;