SQUID_STATE_ROLLBACK(check_TXTDB)
])
-dnl Check if we can rewrite the hello message stored in SSL openSSL object
-dnl The tests are very basic, just check if the required SSL members exist
-dnl in SSL structure.
+dnl Check if we can rewrite the hello message stored in an SSL object.
+dnl The tests are very basic, just check if the required members exist in
+dnl SSL structure.
AC_DEFUN([SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK],[
AH_TEMPLATE(SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK, "Define to 1 if hello message can be overwritten in SSL struct")
SQUID_STATE_SAVE(check_openSSL_overwrite_hack)
#include "acl/AtBumpStepData.h"
#include "client_side.h"
#include "ssl/ServerBump.h"
-//#include "ssl/support.h"
int
ACLAtStepStrategy::match (ACLData<Ssl::BumpStep> * &data, ACLFilledChecklist *checklist, ACLFlags &)
#include "acl/Strategy.h"
#include "ssl/support.h"
+/// \ingroup ACLAPI
class ACLAtStepStrategy : public ACLStrategy<Ssl::BumpStep>
{
public:
virtual int match (ACLData<MatchType> * &, ACLFilledChecklist *, ACLFlags &);
static ACLAtStepStrategy *Instance();
- /* Not implemented to prevent copies of the instance. */
- /* Not private to prevent brain dead g+++ warnings about
- * private constructors with no friends */
+ /**
+ * Not implemented to prevent copies of the instance.
+ */
ACLAtStepStrategy(ACLAtStepStrategy const &);
private:
## data-specific ACLs
libacls_la_SOURCES = \
- AtBumpStep.cc \
- AtBumpStep.h \
- AtBumpStepData.cc \
- AtBumpStepData.h \
IntRange.cc \
IntRange.h \
RegexData.cc \
EXTRA_libacls_la_SOURCES =
SSL_ACLS = \
+ AtBumpStep.cc \
+ AtBumpStep.h \
+ AtBumpStepData.cc \
+ AtBumpStepData.h \
CertificateData.cc \
CertificateData.h \
Certificate.cc \
static void parse_sslproxy_ssl_bump(acl_access **ssl_bump);
static void dump_sslproxy_ssl_bump(StoreEntry *entry, const char *name, acl_access *ssl_bump);
static void free_sslproxy_ssl_bump(acl_access **ssl_bump);
-
#endif /* USE_OPENSSL */
static void parse_ftp_epsv(acl_access **ftp_epsv);
} else if (strcmp(bm, Ssl::BumpModeStr[Ssl::bumpTerminate]) == 0) {
action.kind = Ssl::bumpTerminate;
bumpCfgStyleNow = bcsNew;
- } else if (strcmp(bm, Ssl::BumpModeStr[Ssl::bumpErr]) == 0) {
- action.kind = Ssl::bumpErr;
- bumpCfgStyleNow = bcsNew;
} else if (strcmp(bm, Ssl::BumpModeStr[Ssl::bumpNone]) == 0) {
action.kind = Ssl::bumpNone;
bumpCfgStyleNow = bcsNew;
# At each SslBump step, Squid evaluates ssl_bump directives to find
# the next bumping action (e.g., peek or splice). Valid SslBump step
# values and the corresponding ssl_bump evaluation moments are:
- # step1: After getting TCP-level and HTTP CONNECT info.
- # step2: After getting SSL Client Hello info.
- # step3: After getting SSL Server Hello info.
+ # SslBump1: After getting TCP-level and HTTP CONNECT info.
+ # SslBump2: After getting SSL Client Hello info.
+ # SslBump3: After getting SSL Server Hello info.
ENDIF
acl aclname any-of acl1 acl2 ...
# match any one of the acls [fast or slow]
mimicked server certificate, with the client.
peek
- Receive client (step step1) or server (step step2)
+ Receive client (step SslBump1) or server (step SslBump2)
certificate while preserving the possibility of splicing the
connection. Peeking at the server certificate (during step 2)
usually precludes bumping of the connection at step 3.
stare
- Receive client (step step1) or server (step step2)
+ Receive client (step SslBump1) or server (step SslBump2)
certificate while preserving the possibility of bumping the
connection. Staring at the server certificate (during step 2)
usually precludes splicing of the connection at step 3.
terminate
Close client and server connections.
- Backward compatibility actions available at step step1:
+ Backward compatibility actions available at step SslBump1:
client-first
Bump the connection. Establish a secure connection with the
debugs(33, 5, HERE << "Answer: " << answer << " kind:" << answer.kind);
if (answer == ACCESS_ALLOWED && answer.kind != Ssl::bumpNone && answer.kind != Ssl::bumpSplice) {
- if (answer.kind == Ssl::bumpTerminate || answer.kind == Ssl::bumpErr)
+ if (answer.kind == Ssl::bumpTerminate)
comm_close(connState->clientConnection->fd);
else {
if (answer.kind != Ssl::bumpPeek && answer.kind != Ssl::bumpStare)
else if (peekMode == Ssl::bumpBump && !srvBio->canBump())
peekMode = Ssl::bumpSplice;
- if (peekMode == Ssl::bumpTerminate || peekMode == Ssl::bumpErr) {
+ if (peekMode == Ssl::bumpTerminate) {
comm_close(serverConn->fd);
comm_close(clientConn->fd);
} else if (peekMode != Ssl::bumpSplice) {
// occure in the next SSL_connect call, and we will fail again.
#if 1
if ((request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) {
- debugs(81, DBG_IMPORTANT, "fwdNegotiateSSL: Error (" << ERR_error_string(ssl_lib_error, NULL) << ") but, hold write on SSL connection on FD " << fd);
+ debugs(81, 3, "Error (" << ERR_error_string(ssl_lib_error, NULL) << ") but, hold write on SSL connection on FD " << fd);
checkForPeekAndSplice(false, Ssl::bumpNone);
return;
}
}
-// This function makes the required checks to examine if the client hello message
-// can be compatible with the features provided by OpenSSL toolkit.
+// This function makes the required checks to examine if the client hello
+// message is compatible with the features provided by OpenSSL toolkit.
// If the features are compatible and can be supported it tries to rewrite SSL
-// structure members, to replace the hello message created by openSSL, with the
+// structure members, to replace the hello message created by openSSL, with the
// web client SSL hello message.
-// This is mostly possible in the cases where the web client uses openSSL library
-// similar with this one used by squid.
+// This is mostly possible in the cases where the web client uses openSSL
+// library similar with this one used by squid.
static bool
adjustSSL(SSL *ssl, Ssl::Bio::sslFeatures &features)
{
"bump",
"splice",
"terminate",
- "err",
+ /*"err",*/
NULL
};
\ingroup ServerProtocolSSLAPI
* Supported ssl-bump modes
*/
-enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, bumpErr, bumpEnd};
+enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, /*bumpErr,*/ bumpEnd};
enum BumpStep {bumpStep1, bumpStep2, bumpStep3};
void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntryPointer &al) STUB
+void switchToTunnel(HttpRequest *request, int *status_ptr, Comm::ConnectionPointer &clientConn, Comm::ConnectionPointer &srvConn) STUB
+
TunnelStateData::connectToPeer()
{
const Comm::ConnectionPointer &srv = server.conn;
- const Comm::ConnectionPointer &cln = client.conn;
#if USE_OPENSSL
if (CachePeer *p = srv->getPeer()) {
"TunnelStateData::ConnectedToPeer",
MyAnswerDialer(&TunnelStateData::connectedToPeer, this));
Ssl::PeerConnector *connector =
- new Ssl::PeerConnector(request, srv, cln, callback);
+ new Ssl::PeerConnector(request, srv, client.conn, callback);
AsyncJob::Start(connector); // will call our callback
return;
}
#endif
+#if USE_OPENSSL
int default_read_method(int, char *, int);
int default_write_method(int, const char *, int);
void
CommIoCbPtrFun(tunnelConnectedWriteDone, tunnelState));
Comm::Write(tunnelState->client.conn, buf.content(), buf.contentSize(), call, NULL);
}
+#endif //USE_OPENSSL
projects / thirdparty / squid.git / commitdiff
