This patch adds code in squid to control SslBump behavior when dealing with
"resuming SSL/TLS sessions". Without these changes, SslBump usually terminates
all resuming sessions with an error because such sessions do not include
server certificates, preventing Squid from successfully validating the server
identity.
After these changes, Squid splices resuming sessions. Splicing is the right
because Squid most likely has spliced the original connections that the client
and server are trying to resume now.
Without SslBump, session resumption would just work, and SslBump behaviour
should approach that ideal.
Future projects may add ACL checks for allowing resuming sessions and may
add more complex algorithms, including maintaining an SMP-shared
cache of sessions that may be resumed in the future and evaluating
client/server attempts to resume a session using that cache.
This patch also makes SSL client Hello message parsing more robust and
adds an SSL server Hello message parser.
Also add support for NPN (next protocol negotiation) and ALPN
(Application-Layer Protocol Negotiation) tls extensions, required to
correctly bump web clients support these extensions
Technical details
-----------------
In Peek mode, the old Squid code would forward the client Hello message to the
server. If the server tries to resume the previous (spliced) SSL session with
the client, then Squid SSL code gets an ssl/PeerConnector.cc "ccs received
early" error (or similar) because the Squid SSL object expects a server
certificate and does not know anything about the session being resumed.
With this patch, Squid detects session resumption attempts and splices
There are two mechanism in SSL/TLS for resuming sessions. The traditional
shared session IDs and the TLS ticket extensions:
* If Squid detects a shared ID in both client and server Hello messages, then
Squid decides whether the session is being resumed by comparing those client
and server shared IDs. If (and only if) the IDs are the same, then Squid
assumes that it is dealing with a resuming session (using session IDs).
* If Squid detects a TLS ticket in the client Hello message and TLS ticket
support in the server Hello message as well as a Change Cipher Spec or a New
TLS Ticket message (following the server Hello message), then (and only then)
Squid assumes that it is dealing with a resuming session (using TLS tickets).
The TLS tickets check is not performed if Squid detects a shared session ID
in both client and server Hello messages.
NPN and ALPN tls extensions
---------------------------
Even if squid has some SSL hello messages parsing code, we are relying to
OpenSSL for full parsing. The openSSL used in peek and splice mode to parse
server hello message, check for errors and verify server certificates.
If the openSSL, while parses the server hello message, find an extension enabled
in the server hello message, which is not enabled in its side, fails with an
error ("...parse tlsext...").
OpenSSL supports NPN tls extension and from 1.0.2 release supports also the
ALPN tls extensions. In peek mode we are forwading the client SSL hello message
as is, and if this message include support for NPN or ALPN tls extension is
possible that the SSL server support them and include related extensions
in its response. The openSSL will fail if support for these extensions is
not enabled in its side.
This patch handles the NPN (TLSEXT_TYPE_next_proto_neg) as follows:
Try to select the http/1.1 protocol from the server protocols list. If the
http/1.1 is not supported then the SSL bumping will fail. This is valid
because only http protocol we are supporting in squid.
Splicing is not affected.
Also add support for the ALPN TLS extension. This extension is a replacement
for the NPN extension. The client sends a list of supported protocols. In the
case of stare mode squid now sends only http as supported protocol. In the
case of server-first or client-first bumbing modes, squid does enable this
extension.
The NPN supported by chromium browser the ALPN supported by firefox.
Support for ALPN is added to openSSL 1.0.2 release.
These extensions are used to support SPDY and similar protocols.
The fix for Bug 3664 "ssl_crtd fails to build on OpenSolaris/OpenIndiana/Solaris 11"
introduced a regression on BSD and Linux where lockf() implementations appear not to
lock the entire file correctly or as reliably as flock().
Reverting the flock/lockf change for non-Solaris OS.
Add server_name ACL matching server name(s) obtained from various sources
... such as CONNECT request URI, client SNI, and SSL server certificate CN.
During each SslBump step, Squid improves its understanding of a "true server
name", with a bias towards server-provided (and Squid-validated) information.
The server-provided server names are retrieved from the server certificate CN
and Subject Alternate Names. The new server_name ACL matches any of alternate
names and CN. If the CN or an alternate name is a wildcard, then the new ACL
matches any domain that matches the domain with the wildcard.
Other than supporting many sources of server name information (including
sources that may supply Squid with multiple server name variants and
wildcards), the new ACL is similar to dstdomain.
Invalid request->clientConnectionManager object used by Ssl::PeerConnector::handleNegotiateError
This patch adds the Ssl::ServerBio::bumpMode() method to retrieve the configured
mode from a ServerBio object, and uses this method for checking the bumping
mode inside Ssl::PeerConnector::handleNegotiateError method
After a failed http_access acl check of an HTTP request, tunneled through a
SSL bumped connection, ssl bumping code try to re-setup the connection for a
client-first bumping mode to serve the error crashing squid.
It can be hard determining what simple operations (ie cow(), grow()) are
being done no what SBuf object. Add the SBuf::id to debugs() output on
many more operations.
When squid generated an error page which contains the "%m" formating code
but the authentication information is not available squid dies with
segfault.
Amos Jeffries [Sat, 21 Mar 2015 07:38:14 +0000 (00:38 -0700)]
Portability: check 64-bit GNU atomic operators are useable
Sometimes (namely 32-bit OpenBSD libstdc++) do not fully implement the
GNU atomic operators for both 32-bit and 64-bit. But Squid makes use of
both types if the compiler deems them required.
We need to check them all before declaring the atomics usable, or not.
Thanks to Stuart Henderson for identifying the issue.
Amos Jeffries [Tue, 3 Mar 2015 14:48:01 +0000 (06:48 -0800)]
Bug 2907: high CPU usage on CONNECT when using delay pools
When delay pools are active on a CONNECT tunnel and the pool is drained
the I/O loop cycles very often transferring 1 byte until the pool is
topped-up at the end of the second.
Instead of looping constantly trying to read 1 byte at a time, add an
asynchronous event to wait for a few I/O cycles or until more bytes can
be read.
To protect against infinite loops of waiting when many tunnels are
competing for the pool allowance we only delay for a limited number of
loops before allowing at least 1 byte through. Also, the amount of time
waited is an odd fraction of 1 second so re-tries naturally spread
across any given second fairly, with connections rotating closer or
further from the time when pool topup happens. That behaviour still
allows some variance in service times, but overall the CPU consumption
and (as a result) total proxy speed appears to be much improved.
NP: Initial production testing shows a 36% RPS speed increase,
with a 50% reduction in total CPU usage.
Squid closes the SSL client connection with "Failed to start fake CONNECT
request for ssl spliced connection". This happens especially often when
the pipeline_prefetch configuration parameter is set to "0" (i.e., default).
When a transparent SSL connection is peeked and then spliced in step2, we are
generating a fake CONNECT request. The fake CONNECT request is counted as a
new pipelined request and may exceed the configured limit. This patch solves
this problem by raising the limit for that request.
Needs more work to better identify the requests that need a different limit.
Joshua Root [Tue, 3 Mar 2015 14:41:07 +0000 (06:41 -0800)]
Bug 3805: support shared memory on MacOS X in Mem::IPC::Segment
MacOS X doesn't support the O_TRUNC flag to shm_open; it is redundant anyway
because the shared memory segment is truncated immediately after opening
as per best practices. With this support Squid can now be built and run
under MacOS X.
Amos Jeffries [Tue, 3 Mar 2015 14:37:28 +0000 (06:37 -0800)]
basic_nis_auth: fail authentication on crypt() failures
... instead of crashing the helper.
"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"
Amos Jeffries [Tue, 3 Mar 2015 14:36:20 +0000 (06:36 -0800)]
basic_getpwnam_auth: fail authentication on crypt() failures
... instead of crashing the helper.
"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"
Problem description:
- Squid sslproxy_options deny the use of TLSv1.2 SSL protocol:
sslproxy_options NO_TLSv1_2
- Squid uses peek mode for bumped connections.
- Web client sends a TLSv1.2 hello message and squid in peek mode,
forwards the client hello message to server
- Web server responds with a TLSv1.2 hello message
- Squid while parsing server hello message aborts with an error because
sslproxy_options denies the use of TLSv1.2 protocol.
This patch fixes squid to ignore sslproxy_options when peek or stare
bumping mode is selected on bumpStep2 bumping step.
The sslproxy_options are applied if bump (server-first or client-first)
mode is selected on bumpStep1 or bumpStep2 bumping step. Also for
proxied https:// scheme requests.
Eldar Akchurin [Tue, 10 Feb 2015 04:42:35 +0000 (20:42 -0800)]
Bug 4073: Cygwin compile errors
Remove the definition of _SQUID_WINDOWS_ for Cygwin builds. The blend
of win32 and Linux environments is sufficiently different to have major
build issues. We have a precedent in kFreeBSD blend of BSD and Linux to
consider Cygwin a blend and first-class OS.
Also, temporarily disable the Win32-specific libraries and objects until
they can be properly tested.
Fix some small remaining compile errors after the above.
Cygwin Windows build is sponsored by Diladele B.V.
Amos Jeffries [Tue, 10 Feb 2015 03:15:56 +0000 (19:15 -0800)]
Cygwin: Disable C++11 detection and default use
The flags to enable can still be presented explicitly by the user but
there are known clashes with POSIX / ANSI definitions that sound
remarkably sinmilar to the Clang issues with -std=c++0x
Amos Jeffries [Fri, 6 Feb 2015 15:59:58 +0000 (07:59 -0800)]
Fix some cbdataFree related memory leaks
The delete operator should have been called for these objects after
previous code changes converted them to CBDATA_CLASS. As a result any
member objects relying on their destructor to cleanup were being leaked.
Also, make generic_cbdata::data a private member. The unwrap() method is
easily used now.
Amos Jeffries [Sun, 1 Feb 2015 09:14:12 +0000 (01:14 -0800)]
Stop emitting (Proxy-)Authentication-Info for Negotiate
This header is not defined for use by RFC 4559, and there seem to
be no clients actually using it.
The syntax Squid was using to emit the details was also clashing
with the syntax defined for use in Digest which is becoming the
standardized ABNF syntax for the header in general.
Amos Jeffries [Sun, 1 Feb 2015 09:12:31 +0000 (01:12 -0800)]
Remove dst ACL dependency on HTTP request message existence
The ACL checklist dst_addr member can be used in cases where the HTTP
message is not provided. Such as ssl_bump, ICAP outgoing IP, or peer
selection probes.
When he prefix() method is passed a set limit for characters to scan and
the matched characters do reach that limit the entire Tokenizer buffer
content is consumed and returned.
Correct operation is to only consume and return the matched characters.
Add missing root CAs when validating chains that passed internal checks.
When internal checks found no certificate errors, Squid does not include root
CA certificate in certificates chain sent to the certificate validator. Squid
just sent the certificates chain sent by the SSL server.
This patch stores the full certificates list built by OpenSSL while validating
the SSL server certificates chain, even if no certificate error found and sends
this list to certificate validator.
Set cap_net_admin capability when Squid sets TOS/Diffserv packet values.
In capabilities-capable environments (e.g., Linux with libcap), CAP_NET_ADMIN
capability is required to honor clientside_tos and tcp_outgoing_tos
directives. The code was setting that capability when Netfilter marks or
tproxy was enabled, but missed the clientside_tos and tcp_outgoing_tos cases.
Amos Jeffries [Tue, 20 Jan 2015 10:03:07 +0000 (02:03 -0800)]
HTCP: fix memory initialization errors
memset() used to initialize HTCP objects made sense when they were
structs. But now they are classes proper constructors need to be used
to avoid memset() erasing vtable and other important areas. It also
helps to reduce code and improve performance during init a tiny bit.
Amos Jeffries [Sun, 18 Jan 2015 04:24:51 +0000 (20:24 -0800)]
Bug 3997: Excessive NTLM or Negotiate auth helper annotations
With the transaction annotations feature added in Squid-3.4 auth
helper response values get recorded as annotatiions. In the case
of NTLM and Negotiate authentication the helper response contains
a large credentials token which changes frequently.
Also, user credentials state is cached. In the case of NTLM and
Negotiate the active credentials are cached in the TCP connection
state data, but also for the cache mgr helper reports make use of
caching in a global username cache.
When these two features are combined, the global username cache
for mgr reporting accumulates all TCP connection specific
token= values presented by the client on all its connections, and
any changes to the token over its lifetime.
The result is that for users performing either many transactions,
or staying connected for long periods the memory consumption from
unnecesarily stored tokens is excessive. When clients do both the
machine memory can be consumed, and the CPU can reach 100%
consumption just walking the annotations lists during regular
operations.
To fix this we drop the security credentials tokens from cached
annotations list in NTLM and Negotiate. Digest is also included
though its HA1 token value is static it has similar privacy issues
related to storage.
Also, use the new 3.5 API for username cache key creation to build
the global username cache key for NTLM/Negotiate using the TCP
connection specific token so that credentials and associated
tokens do not get accidentally shared between connections and the
manager can accurately report users.
Amos Jeffries [Tue, 13 Jan 2015 08:44:51 +0000 (00:44 -0800)]
squidclient: Fix -A and -P options
With --https addition the A and P values are re-used for --cert and
--params within HTTPS options. This works for long options, but they
cannot be listed as short options by the Transport:: module because
they are required at the top level by old-style HTTP parameters.
Amos Jeffries [Fri, 9 Jan 2015 06:02:47 +0000 (22:02 -0800)]
Improved automake 1.13+ support in unit-tests
Automake 1.13+ are warning about subdir-objects being enabled in
future versions but Squid currently relies on several environment
constructs that prevent that feature from working.
* All cppunit tests share a main() implementation in testMain.cc
which is not able to easily be built as a .o from locations
such as compat/.
Fix this by making the code to include/unitTestMain.h and
including it as an inline main() definition for all cppunit
tests core .cc files.
* lib/testAll unit test
Fix by splitting out into multiple unit-test binaries as is done
by the rest of Squid. And removing duplicate testMain.cc.
* lib/ and src/ objects link to objects in child directories
Enable subdir-objects when possible. Some remain due to
depending on stubs files in the not yet created src/tests/ build
directory. That will be fixed in a future commit.
Amos Jeffries [Mon, 5 Jan 2015 13:48:16 +0000 (05:48 -0800)]
Bug 3754: configure doesnt detect IPFilter 5.1.2 system headers
Solaris 10+ bundles IPFilter code natively, but the IPFilter
headers contain a duplicate definition of minor_t which does
not match the existing OS definition.
The result is that no applications (such as Squid) will build
on Solaris with the natively provided headers.
Also, the upstream IPFilter code separate from Solaris contains
the same minor_t definition so building against a separate
install of IPFilter does not fix the issue.
We must instead play fancy games #define'ing minor_t to a
different real-name for the OS headers and its own name for
the IPFilter headers.
Thanks to Yuri Voinov for sponsoring the Solaris 10
machine and environment resources for this fix.
Fixed handling of invalid SSL server certificates when splicing connections.
An unpatched Squid in peek-and-splice mode may splice connections after
receiving a malformed or unsupported SSL server Hello message. This may
happen even if sslproxy_cert_error tells Squid to honor the error. After
this change, Squid honors sslproxy_cert_error setting when:
* no server certificate was found and checked using Squid validation procedure
(e.g., because the SSL server Hello response was malformed or unsupported); or
* Squid server certificate validation procedure has failed.
If the certificate error is not allowed, Squid terminates the server connection
and attempts to bump the client connection to deliver the error message to the
user.
Fixed handling of invalid SSL server certificates when splicing connections
An unpatched Squid in peek-and-splice mode may splice connections after
receiving a malformed or unsupported SSL server Hello message. This may
happen even if sslproxy_cert_error tells Squid to honor the error. After
this change, Squid honors sslproxy_cert_error setting when:
* no server certificate was found and checked using Squid validation procedure
(e.g., because the SSL server Hello response was malformed or unsupported); or
* Squid server certificate validation procedure has failed.
If the certificate error is not allowed, Squid terminates the server connection
and attempts to bump the client connection to deliver the error message to the
user.
Amos Jeffries [Mon, 29 Dec 2014 01:27:04 +0000 (17:27 -0800)]
Windows: fix getaddrinfo, getnameinfo, inet_ntop and inet_pton detection
These API symbols are not always defined as functions, and in varying
locations. AC_REPLACE_FUNCS cannot handle that kind of complexity so we
must use AC_CHECK_DECL instead and provide the sequence of #include
necessary to identify their existence.
Markus Moeller [Sat, 20 Dec 2014 17:10:25 +0000 (09:10 -0800)]
negotiate_kerberos_auth: MEMORY keytab and replay cache support
1) Checks for MEMORY: keytab support and reads the keytab from disk into
MEMORY to improve performance (i.e. read keytab only at startup and
nerver again)
2) Add option for replay cache type. Allows to set replay cache to none
to improve performance ( may reduce security a bit )
3) Add option for replay cache directory. If /var/tmp is not the best
location you can choose a different location.
projects / thirdparty / squid.git / log
