From: Christos Tsantilas Date: Sun, 15 Feb 2015 19:42:55 +0000 (+0200) Subject: sslproxy_options in peek-and-splice mode X-Git-Tag: merge-candidate-3-v1~266 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f233022a5bb276d66eaa913a80374468db578fdd;p=thirdparty%2Fsquid.git sslproxy_options in peek-and-splice mode Problem description: - Squid sslproxy_options deny the use of TLSv1_2 SSL protocol: sslproxy_options NO_TLSv1_2 - Squid uses peek mode for bumped connections. - Web client sends an TLSv1_2 hello message and squid in peek mode, forwards the client hello message to server - Web server respond with an TLSv1_2 hello message - Squid while parsing server hello message aborts with an error because sslproxy_options deny the use ot TLSv1_2 protocol. This patch fixes squid to ignore sslproxy_options when peek or stare bumping mode selected on bumpStep2 bumping step. The sslproxy_options applied if bump (server-first or client-first) mode selected on bumpStep1 or bumpStep2 bumping step. Also applied for "GET https://..." requests. This is a Measurement Factory project --- diff --git a/src/SquidConfig.h b/src/SquidConfig.h index 4ef76642e2..bce9c3a124 100644 --- a/src/SquidConfig.h +++ b/src/SquidConfig.h @@ -504,6 +504,7 @@ public: char *key; int version; char *options; + long parsedOptions; char *cipher; char *cafile; char *capath; diff --git a/src/cache_cf.cc b/src/cache_cf.cc index d38c87e94b..4b0b45781d 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -876,7 +876,10 @@ configDoConfigure(void) debugs(3, DBG_IMPORTANT, "Initializing https proxy context"); - Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile); + Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, NULL, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile); + // Pre-parse SSL client options to be applied when the client SSL objects created. + // Options must not used in the case of peek or stare bump mode. + Config.ssl_client.parsedOptions = Ssl::parse_options(::Config.ssl_client.options); for (CachePeer *p = Config.peers; p != NULL; p = p->next) { if (p->use_ssl) { diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc index 5665299721..307d6b1d6f 100644 --- a/src/ssl/PeerConnector.cc +++ b/src/ssl/PeerConnector.cc @@ -144,7 +144,7 @@ Ssl::PeerConnector::initializeSsl() if (peer->sslSession) SSL_set_session(ssl, peer->sslSession); - } else if (const ConnStateData *csd = request->clientConnectionManager.valid()) { + } else if (ConnStateData *csd = request->clientConnectionManager.valid()) { // client connection is required in the case we need to splice // or terminate client and server connections assert(clientConn != NULL); @@ -172,6 +172,7 @@ Ssl::PeerConnector::initializeSsl() if (hostName) SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostName); + Must(!csd->serverBump() || csd->serverBump()->step <= Ssl::bumpStep2); if (csd->sslBumpMode == Ssl::bumpPeek || csd->sslBumpMode == Ssl::bumpStare) { assert(cltBio); const Ssl::Bio::sslFeatures &features = cltBio->getFeatures(); @@ -188,6 +189,9 @@ Ssl::PeerConnector::initializeSsl() } } } else { + // Set client SSL options + SSL_set_options(ssl, ::Config.ssl_client.parsedOptions); + // Use SNI TLS extension only when we connect directly // to the origin server and we know the server host name. const char *sniServer = hostName ? hostName :