From 8d5f481ad519b835a3d28ccee4adcf34eecb25ab Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Wed, 14 Jan 2015 09:10:20 -0800 Subject: [PATCH] Fix silent SSL/TLS failure on split-stack operating systems Up to now we have not cloned any of the SSL/TLS related config state if the port needed cloning into separate IPv6 and IPv4 sockets. It is safe enough to clone the text strings received directly from squid.conf and rely on later port setup to generate separate sslContext objects. --- src/anyp/PortCfg.cc | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/src/anyp/PortCfg.cc b/src/anyp/PortCfg.cc index 8f09cf5e22..d2299244ac 100644 --- a/src/anyp/PortCfg.cc +++ b/src/anyp/PortCfg.cc @@ -119,22 +119,34 @@ AnyP::PortCfg::clone() const b->disable_pmtu_discovery = disable_pmtu_discovery; b->tcp_keepalive = tcp_keepalive; -#if 0 - // TODO: AYJ: 2009-07-18: for now SSL does not clone. Configure separate ports with IPs and SSL settings - #if USE_OPENSSL - char *cert; - char *key; - int version; - char *cipher; - char *options; - char *clientca; - char *cafile; - char *capath; - char *crlfile; - char *dhfile; - char *sslflags; - char *sslContextSessionId; + if (cert) + b->cert = xstrdup(cert); + if (key) + b->key = xstrdup(key); + b->version = version; + if (cipher) + b->cipher = xstrdup(cipher); + if (options) + b->options = xstrdup(options); + if (clientca) + b->clientca = xstrdup(clientca); + if (cafile) + b->cafile = xstrdup(cafile); + if (capath) + b->capath = xstrdup(capath); + if (crlfile) + b->crlfile = xstrdup(crlfile); + if (dhfile) + b->dhfile = xstrdup(dhfile); + if (sslflags) + b->sslflags = xstrdup(sslflags); + if (sslContextSessionId) + b->sslContextSessionId = xstrdup(sslContextSessionId); + +#if 0 + // TODO: AYJ: 2015-01-15: for now SSL does not clone the context object. + // cloning should only be done before the PortCfg is post-configure initialized and opened SSL_CTX *sslContext; #endif -- 2.47.3