From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 11 Aug 2015 04:41:55 +0000 (-0700)
Subject: TLS: fix various bugs in HTTPS proxying context creation
X-Git-Tag: SQUID_4_0_1~139
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d4ab7b6303319cc3cc6b5f17254dcd50c1379201;p=thirdparty%2Fsquid.git

TLS: fix various bugs in HTTPS proxying context creation

cache_peer with "ssl" option and DIRECT HTTPS outgoing traffic was
not having TLS context initialized at all. Resulting in TLS outgoing
being disabled unless explicit extra options were used.


With this patch:

The default squid.conf sets "tls_outgoing_options min-version=1.0".
Which auto-enables DIRECT outgoing, the new explicit "disable" option
is required to turn off.

http_port ... protocol=HTTPS and https_port forces
"encryptTransport=true;" explicitly based on the expected protocol. So
it is either enabled by the parse() call when TLS options are used, or
forced on anyway later when the protocol is validated.

icaps:// services also explicitly set "encryptTransport=true;"
explicitly based on 's' in the service URI scheme.

The cache_peer requires a minimum of "ssl" option to be configured. Any
use of TLS/SSL options other than "disable" will enable TLS to the peer.


In summary TLS should be:

* default-on for all https_port, icaps:// services, and outgoing
https:// traffic.

* manually enabled on cache_peer and http_port.

* manually disabled on outgoing https:// traffic.
---

diff --git a/src/adaptation/ServiceConfig.cc b/src/adaptation/ServiceConfig.cc
index f1dfbcd4a0..79b70ee4a0 100644
--- a/src/adaptation/ServiceConfig.cc
+++ b/src/adaptation/ServiceConfig.cc
@@ -136,7 +136,6 @@ Adaptation::ServiceConfig::parse()
             tmp += "=";
             tmp += value;
             secure.parse(tmp.c_str());
-            secure.encryptTransport = true;
             grokked = true;
 #endif
         } else
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index f45d8078fa..6f2a87e11a 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2193,11 +2193,9 @@ parse_peer(CachePeer ** head)
 #if !USE_OPENSSL
             debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl");
 #else
-            p->secure.encryptTransport = true;
             p->secure.parse(token+3);
 #endif
         } else if (strncmp(token, "tls-", 4) == 0) {
-            p->secure.encryptTransport = true;
             p->secure.parse(token+4);
         } else if (strcmp(token, "front-end-https") == 0) {
             p->front_end_https = 1;
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 26b8e74d04..c39ef21151 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -42,9 +42,18 @@ Security::PeerOptions::PeerOptions(const Security::PeerOptions &p) :
 void
 Security::PeerOptions::parse(const char *token)
 {
+    if (!*token) {
+        // config says just "ssl" or "tls" (or "tls-")
+        encryptTransport = true;
+        return;
+    }
+
     if (strncmp(token, "disable", 7) == 0) {
         clear();
-    } else if (strncmp(token, "cert=", 5) == 0) {
+        return;
+    }
+
+    if (strncmp(token, "cert=", 5) == 0) {
         certFile = SBuf(token + 5);
         if (privateKeyFile.isEmpty())
             privateKeyFile = certFile;
@@ -80,7 +89,10 @@ Security::PeerOptions::parse(const char *token)
         sslDomain = SBuf(token + 7);
     } else {
         debugs(3, DBG_CRITICAL, "ERROR: Unknown TLS option '" << token << "'");
+        return;
     }
+
+    encryptTransport = true;
 }
 
 void