sslproxy_options in peek-and-splice mode

Problem description:
  - Squid sslproxy_options deny the use of TLSv1_2 SSL protocol:
     sslproxy_options NO_TLSv1_2
  - Squid uses peek mode for bumped connections.
  - Web client sends an TLSv1_2 hello message and squid in peek mode, forwards
    the client hello message to server
  - Web server respond with an TLSv1_2 hello message
  - Squid while parsing server hello message aborts with an error because
    sslproxy_options deny the use ot TLSv1_2 protocol.

This patch fixes squid to ignore sslproxy_options when peek or stare bumping
mode selected on bumpStep2 bumping step.
The sslproxy_options applied if bump (server-first or client-first) mode
selected on bumpStep1 or bumpStep2 bumping step.
Also applied for "GET https://..." requests.

This is a Measurement Factory project

diff --git a/src/SquidConfig.h b/src/SquidConfig.h
index 4ef76642e2a49c6e7cb8492c5bc657f5c98826fd..bce9c3a1248ecebc74ac7d55902aff7364cf24a8 100644 (file)
--- a/src/SquidConfig.h
+++ b/src/SquidConfig.h
@@ -504,6 +504,7 @@ public:
         char *key;
         int version;
         char *options;
+        long parsedOptions;
         char *cipher;
         char *cafile;
         char *capath;

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index d38c87e94bbd255fb8f896c4b58600709fdf2941..4b0b45781d8fbbc22fc6a4589b0e6b6d589346a0 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -876,7 +876,10 @@ configDoConfigure(void)
 
     debugs(3, DBG_IMPORTANT, "Initializing https proxy context");
 
-    Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile);
+    Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, NULL, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile);
+    // Pre-parse SSL client options to be applied when the client SSL objects created.
+    // Options must not used in the case of peek or stare bump mode.
+    Config.ssl_client.parsedOptions = Ssl::parse_options(::Config.ssl_client.options);
 
     for (CachePeer *p = Config.peers; p != NULL; p = p->next) {
         if (p->use_ssl) {

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 56652997218879d206be3eca7a8365eacad609c3..307d6b1d6f04fb76c7769973c7c5594ed7f5e115 100644 (file)
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -144,7 +144,7 @@ Ssl::PeerConnector::initializeSsl()
 
         if (peer->sslSession)
             SSL_set_session(ssl, peer->sslSession);
-    } else if (const ConnStateData *csd = request->clientConnectionManager.valid()) {
+    } else if (ConnStateData *csd = request->clientConnectionManager.valid()) {
         // client connection is required in the case we need to splice
         // or terminate client and server connections
         assert(clientConn != NULL);
@@ -172,6 +172,7 @@ Ssl::PeerConnector::initializeSsl()
         if (hostName)
             SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostName);
 
+        Must(!csd->serverBump() || csd->serverBump()->step <= Ssl::bumpStep2);
         if (csd->sslBumpMode == Ssl::bumpPeek || csd->sslBumpMode == Ssl::bumpStare) {
             assert(cltBio);
             const Ssl::Bio::sslFeatures &features = cltBio->getFeatures();
@@ -188,6 +189,9 @@ Ssl::PeerConnector::initializeSsl()
                 }
             }
         } else {
+            // Set client SSL options
+            SSL_set_options(ssl, ::Config.ssl_client.parsedOptions);
+
             // Use SNI TLS extension only when we connect directly
             // to the origin server and we know the server host name.
             const char *sniServer = hostName ? hostName :