Non-bumping broken for intercept

When an intercepted SSL connection matches "ssl_bump none" in
squid.conf, Squid correctly refuses to bump it and establishes a TCP
tunnel using a fake CONNECT request. Unfortunately, the HTTP client
terminates with an "unknown protocol" SSL error.

Also the client_dst_passthru does not work as expected for intercepted requests

diff --git a/src/client_side.cc b/src/client_side.cc
index 6fe7702e5e6916945051f7834244f172154b2630..22ddb7b9afddbd49e2dd5fa35f5f9b476b6637c6 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3563,6 +3563,7 @@ httpsEstablish(ConnStateData *connState,  SSL_CTX *sslContext, Ssl::BumpMode bum
 #endif
         fakeRequest->my_addr = connState->clientConnection->local;
         fakeRequest->flags.spoof_client_ip = ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
+        fakeRequest->flags.intercepted = ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0);
         debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX");
         connState->switchToHttps(fakeRequest, bumpMode);
     }

diff --git a/src/tunnel.cc b/src/tunnel.cc
index 26e6072bcdf819b60ea3881b3fa517a8f26b0f70..28a51017911d616b9d538615ff08e575054505d9 100644 (file)
--- a/src/tunnel.cc
+++ b/src/tunnel.cc
@@ -523,7 +523,7 @@ tunnelConnected(const Comm::ConnectionPointer &server, void *data)
     TunnelStateData *tunnelState = (TunnelStateData *)data;
     debugs(26, 3, HERE << server << ", tunnelState=" << tunnelState);
 
-    if (tunnelState->request && tunnelState->request->flags.spoof_client_ip)
+    if (tunnelState->request && (tunnelState->request->flags.spoof_client_ip || tunnelState->request->flags.intercepted))
         tunnelStartShoveling(tunnelState); // ssl-bumped connection, be quiet
     else {
         AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone",