From 2695a2e8c45dd62d4ce6dda2f9effd3fe086951a Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Sat, 17 Jan 2015 23:22:01 -0800 Subject: [PATCH] Fix silent SSL/TLS failure on split-stack operating systems Up to now we have not cloned any of the SSL/TLS related config state if the port needed cloning into separate IPv6 and IPv4 sockets. It is safe enough to clone the text strings received directly from squid.conf and rely on later port setup to generate separate sslContext objects. --- src/anyp/PortCfg.cc | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/src/anyp/PortCfg.cc b/src/anyp/PortCfg.cc index 41a6b9ee1c..111444c5dd 100644 --- a/src/anyp/PortCfg.cc +++ b/src/anyp/PortCfg.cc @@ -66,22 +66,34 @@ AnyP::PortCfg::clone() const b->disable_pmtu_discovery = disable_pmtu_discovery; b->tcp_keepalive = tcp_keepalive; -#if 0 - // TODO: AYJ: 2009-07-18: for now SSL does not clone. Configure separate ports with IPs and SSL settings - #if USE_SSL - char *cert; - char *key; - int version; - char *cipher; - char *options; - char *clientca; - char *cafile; - char *capath; - char *crlfile; - char *dhfile; - char *sslflags; - char *sslContextSessionId; + if (cert) + b->cert = xstrdup(cert); + if (key) + b->key = xstrdup(key); + b->version = version; + if (cipher) + b->cipher = xstrdup(cipher); + if (options) + b->options = xstrdup(options); + if (clientca) + b->clientca = xstrdup(clientca); + if (cafile) + b->cafile = xstrdup(cafile); + if (capath) + b->capath = xstrdup(capath); + if (crlfile) + b->crlfile = xstrdup(crlfile); + if (dhfile) + b->dhfile = xstrdup(dhfile); + if (sslflags) + b->sslflags = xstrdup(sslflags); + if (sslContextSessionId) + b->sslContextSessionId = xstrdup(sslContextSessionId); + +#if 0 + // TODO: AYJ: 2015-01-15: for now SSL does not clone the context object. + // cloning should only be done before the PortCfg is post-configure initialized and opened SSL_CTX *sslContext; #endif -- 2.47.2