From 3c3c754c033da63c9cf21512e304aeffbc5c685a Mon Sep 17 00:00:00 2001 From: Christos Tsantilas Date: Sat, 5 Apr 2014 22:39:32 -0600 Subject: [PATCH] Basic auth cache and SslBump fix This patch fixes the following bug: 1) A user sends a CONNECT request with valid credentials 2) Squid checks the credentials and adds the user to the user cache 3) The same user sends a CONNECT request with invalid credentials 4) Squid overwrites the entry in the user cache and denies the second CONNECT request 5) The user sends a GET request on the first SSL connection which is established by now 6) Squid knows that it does not need to check the credentials on the bumped connection but still somehow checks again whether the user is successfully authenticated 7) Due to the second CONNECT request the user is regarded as not successfully authenticated 8) Squid denies the GET request of the first SSL connection with 403 ERR_CACHE_ACCESS_DENIED On proxies with Basic authentication and SSL bumping, this can be used to prevent a legitimate user from making any HTTPS requests This is a Measurement Factory project --- src/auth/AclProxyAuth.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/auth/AclProxyAuth.cc b/src/auth/AclProxyAuth.cc index f714fec009..244708625d 100644 --- a/src/auth/AclProxyAuth.cc +++ b/src/auth/AclProxyAuth.cc @@ -189,6 +189,8 @@ int ACLProxyAuth::matchProxyAuth(ACLChecklist *cl) { ACLFilledChecklist *checklist = Filled(cl); + if (checklist->request->flags.sslBumped) + return 1; // AuthenticateAcl() already handled this bumped request if (!authenticateUserAuthenticated(Filled(checklist)->auth_user_request)) { return 0; } -- 2.47.2