On 23/7/20 7:08 π.μ., Amos Jeffries wrote:
Hi guys,
OpenSSL 3.0 with their new GPL compatible license is becoming available
now in Debian and that means we can finally auto-enable all OpenSSL
features when building against that version.
I am starting test build now to see how much breakage we
On 8/5/20 5:50 μ.μ., Amos Jeffries wrote:
Does this change resolve the issue for you?
It is a step but this is not enough.
I am attaching a patch which finally solved the issue. However still it
is not enough, there are other similar cases need to be fixed in
squid-util.m4 and probably in
Hi all,
Squid master 699ade2d fails to build with an alternate OpenSsl, when the
"--with-openssl=/path/to/openssl" is used.
I think that the issue added with the commit 245314010.
Example build output:
g++ -DHAVE_CONFIG_H
-DDEFAULT_CONFIG_FILE=\"/usr/local/squid3-cvs/etc/squid.conf\"
Στις 17/11/2017 07:45 μμ, ο Alex Rousskov έγραψε:
On 11/17/2017 10:06 AM, Christos Tsantilas wrote:
For any mew patch, we are building a git-PR for merging it to
squid-5/master. Should we make a git-PR for squid-4 too (and squid-3.5)?
Or the squid-4 maintainer is responsible to extract
Hi all,
I am a little confused about the procedure I should follow for
applying patches to squid, specially for patches which should be
included to squid-4.
For any mew patch, we are building a git-PR for merging it to
squid-5/master. Should we make a git-PR for squid-4 too (and
I made the PR #59 for this patch.
We can do any discussion here.
Regards,
Christos
Στις 27/07/2017 09:52 πμ, ο Christos Tsantilas έγραψε:
The patch.
Στις 26/07/2017 12:37 μμ, ο Christos Tsantilas έγραψε:
Squid can be killed or maimed by enough clients that start multi-step
connection
Στις 05/08/2017 09:52 πμ, ο Amos Jeffries έγραψε:
On 01/08/17 04:40, Alex Rousskov wrote:
On 07/31/2017 09:24 AM, Amos Jeffries wrote:
To do so otherwise would randomly
allow replay attacks to succeed
Please give a specific example where the proposed changes would allow a
new kind of replay
Στις 30/07/2017 06:48 πμ, ο Amos Jeffries έγραψε:
On 27/07/17 18:52, Christos Tsantilas wrote:
The patch.
Στις 26/07/2017 12:37 μμ, ο Christos Tsantilas έγραψε:
Squid can be killed or maimed by enough clients that start multi-step
connection authentication but never follow up with the second
The patch.
Στις 26/07/2017 12:37 μμ, ο Christos Tsantilas έγραψε:
Squid can be killed or maimed by enough clients that start multi-step
connection authentication but never follow up with the second HTTP
request while keeping their HTTP connection open. Affected helpers
remain in the "res
Squid can be killed or maimed by enough clients that start multi-step
connection authentication but never follow up with the second HTTP
request while keeping their HTTP connection open. Affected helpers
remain in the "reserved" state and cannot be reused for other clients.
Observed helper
SslBump was ignoring origin server certificate changes and using the
previously cached fake certificate (mimicking now-stale properties).
Also, Squid was not detecting key collisions inside certificate caches.
On-disk certificate cache fixes:
- Use the original certificate signature instead
also attaching the patches for squid-3.5 and squid-4.
The squid-3.5 patch passes the HttpRequest::Pointer as parameter to the
ConnStateData::pinConnection method.
Στις 23/06/2017 12:53 μμ, ο Christos Tsantilas έγραψε:
A new patch
Στις 21/06/2017 08:07 μμ, ο Alex Rousskov έγραψε:
On 06/21/2017
A new patch
Στις 21/06/2017 08:07 μμ, ο Alex Rousskov έγραψε:
On 06/21/2017 05:40 AM, Christos Tsantilas wrote: I suggest the
following one or two polishing touches:
1. Merge pinConnection() and pinNewConnection() by returning from
the method if there is nothing to do, with a debugs() line
* Protect Squid Client classes from new requests that compete with
ongoing pinned connection use and
* resume dealing with new requests when those Client classes are done
using the pinned connection.
Replaced primary ConnStateData::pinConnection() calls with a pair of
pinBusyConnection()
Στις 20/06/2017 01:59 πμ, ο Alex Rousskov έγραψε:
revno: 15212
committer: Amos Jeffries
branch nick: 5
timestamp: Tue 2017-06-20 01:53:03 +1200
message:
Fix build errors with automake after rev.15194
We cannot name files in src/ the same as files in
Στις 10/06/2017 03:32 μμ, ο Amos Jeffries έγραψε:
On 09/06/17 02:52, Christos Tsantilas wrote:
Concurrent identical same-worker security_file_certgen (a.k.a.
ssl_crtd) requests are collapsed: The first such request goes through
to one of the helpers while others wait for that first request
patch applied to squid-5 as r15189, with the requested fixes.
Στις 31/05/2017 05:56 μμ, ο Alex Rousskov έγραψε:
On 05/30/2017 10:58 PM, Amos Jeffries wrote:
On 26/05/17 22:08, Christos Tsantilas wrote:
--consensus allows matching a part of the conglomerate when the part's
subject name
Patch applied to trunk as r15188 with the requested fixes.
Στις 10/06/2017 04:30 μμ, ο Amos Jeffries έγραψε:
On 24/05/17 20:31, Christos Tsantilas wrote:
Adds support for --long-acl-options
This patch adds support for --long-acl-options. The old single-letter
ACL "flags" code was
Concurrent identical same-worker security_file_certgen (a.k.a. ssl_crtd)
requests are collapsed: The first such request goes through to one of
the helpers while others wait for that first request to complete,
successfully or otherwise. This optimization helps dealing with flash
crowds that
This ACL is essential in several use cases, including:
* After fetching a missing intermediate certificate, Squid uses the
regular cache (and regular caching rules) to store the response. Squid
deployments that do not want to cache regular traffic need to cache
fetched certificates and only
This patch uses the the "--long-options" ACLs feature which posted to
squid-dev under the mailthread:
"PATCH] Adds support for --long-acl-options"
Patch description:
Many popular servers use certificates with several "alternative subject
names" (SubjectAltName). Many of those names are
On 19/05/2017 07:19 μμ, Christos Tsantilas wrote:
The t4 patch
I committed this patch to squid-5 as r15152.
On 19/05/2017 12:27 πμ, Amos Jeffries wrote:
On 19/05/17 04:04, Christos Tsantilas wrote:
On 18/05/2017 03:40 μμ, Amos Jeffries wrote:
On 18/05/17 23:12, Christos Tsantilas wrote
The t4 patch
On 19/05/2017 12:27 πμ, Amos Jeffries wrote:
On 19/05/17 04:04, Christos Tsantilas wrote:
On 18/05/2017 03:40 μμ, Amos Jeffries wrote:
On 18/05/17 23:12, Christos Tsantilas wrote:
+# check for API functions
+AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate,
[AC_DEFINE
On 18/05/2017 06:05 μμ, Alex Rousskov wrote:
On 05/18/2017 05:12 AM, Christos Tsantilas wrote:
Agrr... Using the openSSL version was the faster/easier way. Touching
autoconf may result to 2-3 full squid rebuilds to implement/test similar
fixes.
The alternative is to convince others
On 18/05/2017 03:40 μμ, Amos Jeffries wrote:
On 18/05/17 23:12, Christos Tsantilas wrote:
+# check for API functions
+AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate,
[AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate
is available])], [])
+
This bit seems to be correct
On 18/05/2017 03:12 μμ, Amos Jeffries wrote:
On 18/05/17 23:12, Christos Tsantilas wrote:
On 17/05/2017 07:56 μμ, Alex Rousskov wrote:
On 05/17/2017 10:35 AM, Christos Tsantilas wrote:
+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
+X509 * cert = SSL_CTX_get0_certificate(ctx.
On 17/05/2017 07:56 μμ, Alex Rousskov wrote:
On 05/17/2017 10:35 AM, Christos Tsantilas wrote:
+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
+X509 * cert = SSL_CTX_get0_certificate(ctx.get());
If it is possible to replace this version check with a ./configure-time
detect
On 16/05/2017 03:04 μμ, Amos Jeffries wrote:
Building Squid-5 r15136 against the latest libssl 1.1.0e on Ubuntu.
src/ssl/support.cc: In function ‘bool
Ssl::verifySslCertificate(Security::ContextPointer&, const
Ssl::CertificateProperties&)’:
src/ssl/support.cc:995:34: error: invalid use of
On 16/05/2017 03:04 μμ, Amos Jeffries wrote:
Building Squid-5 r15136 against the latest libssl 1.1.0e on Ubuntu.
src/ssl/support.cc: In function ‘bool
Ssl::verifySslCertificate(Security::ContextPointer&, const
Ssl::CertificateProperties&)’:
src/ssl/support.cc:995:34: error: invalid use of
Applied as r15121 to squid-5 branch.
On 14/04/2017 02:02 μμ, Amos Jeffries wrote:
On 14/04/2017 1:10 a.m., Christos Tsantilas wrote:
If there are not objections I will apply this patch to squid-5 branch
I'm not seeing anything obviously wrong with it and its past the 10-day
criteria. So
If there are not objections I will apply this patch to squid-5 branch
On 31/03/2017 04:21 μμ, Christos Tsantilas wrote:
Hi all,
Squid does not send CONNECT request to adaptation services if the
"ssl_bump splice" rule matched at step 2. This adaptation is important
because the CONNE
Hi all,
Squid does not send CONNECT request to adaptation services if the
"ssl_bump splice" rule matched at step 2. This adaptation is important
because the CONNECT request gains SNI information during the second
SslBump step. This is a regression bug, possibly caused by the Squid bug
4529
/2017 06:38 μμ, Amos Jeffries wrote:
On 7/02/2017 11:12 p.m., Christos Tsantilas wrote:
On 07/02/2017 11:43 πμ, Amos Jeffries wrote:
On 7/02/2017 6:07 a.m., Christos Tsantilas wrote:
Applied to trunk as r15036.
I am attaching the patch for squid-3.5
On 04/02/2017 04:07 μμ, Amos Jeffries wrote
On 07/02/2017 11:43 πμ, Amos Jeffries wrote:
On 7/02/2017 6:07 a.m., Christos Tsantilas wrote:
Applied to trunk as r15036.
I am attaching the patch for squid-3.5
On 04/02/2017 04:07 μμ, Amos Jeffries wrote:
On 4/02/2017 8:27 a.m., Christos Tsantilas wrote:
... such as ERR_ACCESS_DENIED
Applied to trunk as r15036.
I am attaching the patch for squid-3.5
On 04/02/2017 04:07 μμ, Amos Jeffries wrote:
On 4/02/2017 8:27 a.m., Christos Tsantilas wrote:
... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
http_access deny rule match.
The old code allowed ssl_bump
... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
http_access deny rule match.
The old code allowed ssl_bump step1 rules to be evaluated in the
presence of an error. An ssl_bump splicing decision would then trigger
the useless "send the error to the client now" processing
On 02/02/2017 03:16 πμ, Alex Rousskov wrote:
On 02/01/2017 01:42 PM, Christos Tsantilas wrote:
must take in account that some openSSL calls
returns locket objects, and some other unlocked objects.
Does the patch start using shared pointers for any objects in the
second, "returned unl
On 19/01/2017 09:11 μμ, Alex Rousskov wrote:
Does the patched code continue to work well with OpenSSL?
You have not answered this question. Please do not commit these changes
until the OpenSSL build is tested.
Amos, asks me to make some tests if I have time. I make some simple
tests with
The adjusted patch which implements the new acls applied to squid-5 as
r15024 and r15026.
The patch which fixed Auth::UserRequest::denyMessage() method applied
to squid-5 as r15025
On 27/01/2017 08:05 μμ, Alex Rousskov wrote:
On 01/27/2017 10:39 AM, Christos Tsantilas wrote:
Which
The patch applied to squid-5 as r15020 with the fixes suggested by Alex.
I am attaching the equivalent patch for squid-3.5.
On 25/01/2017 11:42 μμ, Alex Rousskov wrote:
On 01/25/2017 12:12 PM, Christos Tsantilas wrote:
On 25/01/2017 08:24 μμ, Alex Rousskov wrote:
* A client-sent ClientHello
On 25/01/2017 08:24 μμ, Alex Rousskov wrote:
On 01/16/2017 04:38 AM, Christos Tsantilas wrote:
On 13/01/2017 07:04 μμ, Alex Rousskov wrote:
The dependency here is that clientHelloMessage comes from our parser. We
can substitute OpenSSL-generated ClientHello with client-sent
ClientHello because
The patches r15016 and r15017 requires to allow make check/distcheck
work in some platoforms.
I am attaching a new patch for squid-3.5.
On 24/01/2017 02:55 μμ, Christos Tsantilas wrote:
The t3 patch applied to squid-5 as r15014
I am also attaching the patch for squid-3.5.
On 23/01/2017 03
The t3 patch applied to squid-5 as r15014
I am also attaching the patch for squid-3.5.
On 23/01/2017 03:52 μμ, Amos Jeffries wrote:
On 23/01/2017 11:04 p.m., Christos Tsantilas wrote:
On 22/01/2017 07:11 μμ, Amos Jeffries wrote:
On 23/01/2017 1:03 a.m., Christos Tsantilas wrote
On 22/01/2017 07:11 μμ, Amos Jeffries wrote:
On 23/01/2017 1:03 a.m., Christos Tsantilas wrote:
There is a well-known DoS attack using client-initiated SSL/TLS
renegotiation. The severity or uniqueness of this attack method is
disputed, but many believe it is serious/real.
There is even
There is a well-known DoS attack using client-initiated SSL/TLS
renegotiation. The severity or uniqueness of this attack method is
disputed, but many believe it is serious/real.
There is even a (disputed) CVE 2011-1473:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
The old
I am attaching a new patch based on Alex comments.
I also changed the patch preamble a little to much better what squid does.
Please see my comments bellow.
On 13/01/2017 07:04 μμ, Alex Rousskov wrote:
On 01/12/2017 02:28 PM, Christos Tsantilas wrote:
On 12/01/2017 06:48 μμ, Alex Rousskov
On 12/01/2017 06:48 μμ, Alex Rousskov wrote:
On 01/12/2017 08:35 AM, Christos Tsantilas wrote:
The patch fixes Squid to peeks (or stares) at the origin server as
configured, even if it does not recognize the client TLS
record/message.
s/to peeks (or stares)/to peek (or stare)/
I agree
If Squid receives a valid TLS Hello encapsulated into ancient SSLv2
records (observed on Solaris 10) the old code ignored the step2 peek
decision and bumped the transaction instead.
The patch fixes Squid to peeks (or stares) at the origin server as
configured, even if it does not recognize
On 11/01/2017 04:50 μμ, Amos Jeffries wrote:
On 11/01/2017 10:55 p.m., Christos Tsantilas wrote:
We observed such problems on squid shutdown procedure and during regular
squid operation. Any clientStreams redesign should take care of such
problems.
The underlying problem has been known since
We observed such problems on squid shutdown procedure and during regular
squid operation. Any clientStreams redesign should take care of such
problems.
The underlying problem has been known since r13480: If a
ClientHttpRequest job ends without Http::Stream (and ConnStateData)
knowledge, then
The helper protocol for external ACLs [1] defines three possible return
values:
OK - Success. ACL test matches.
ERR - Success. ACL test fails to match.
BH - Failure. The helper encountered a problem.
The external acl helpers distributed with squid currently doesn't follow
this
The unstable debian should use openssl-1.1.0 releases.
This is the bug 4599.
We had make some progress on supporting openSSL-1.1.0, also I am having
in my laptop some more fixes, but it is not finished yet.
On 08/12/2016 08:07 μμ, Alex Rousskov wrote:
Hello,
Jenkins has been
On 29/11/2016 09:46 μμ, Amos Jeffries wrote:
I'm thinking it might be useful to add a how-to in the release notes for
v4+ to make the compiler update easier. Would you be able to write that
now that you have gone through the process?
I upgraded to newer OS, not just the compiler :-). It is
On 29/11/2016 04:29 πμ, Amos Jeffries wrote:
Please note that GCC 4.8 is not capable of building correctly operating
Squid-4 either. So its not a matter of GCC 4.8 vs Squid.
The 4.8 does not have any problem. I was doing all of my developments
and tests using GCC-4.8 and never found a
On 11/25/2016 03:39 PM, Amos Jeffries wrote:
If you want to look at legality;
Part of the LTS contract is that software feature changes are *not*
done. The clients have chosen to make that a requirement. The OS
distributors have chosen to meet it. Nothing to do with what Squid
Project does in
Hi all,
I have problems to run latest squid-5. The reason looks that it is
the r14954, which removes old GnuRegex and uses the std::regex API.
The std::regex supported from gcc-4.9 and latest releases and I am still
using an gcc-4.8.4 on my kubuntu-14.04 LTS release.
OK, I can upgrade to
I am also attaching the t4 patch for squid-3.5.
This is include all fixes.
On 11/16/2016 04:43 PM, Christos Tsantilas wrote:
If no objection I will apply this patch to trunk.
On 11/16/2016 02:35 PM, Amos Jeffries wrote:
On 16/11/2016 12:58 a.m., Christos Tsantilas wrote:
Hi all,
I
If no objection I will apply this patch to trunk.
On 11/16/2016 02:35 PM, Amos Jeffries wrote:
On 16/11/2016 12:58 a.m., Christos Tsantilas wrote:
Hi all,
I applied the patch as r14945 with an r14946 fix.
Unfortunately while I was testing the Squid-3.5 variant of the patch I
found a bug
On 11/16/2016 02:35 PM, Amos Jeffries wrote:
On 16/11/2016 12:58 a.m., Christos Tsantilas wrote:
Hi all,
I applied the patch as r14945 with an r14946 fix.
Unfortunately while I was testing the Squid-3.5 variant of the patch I
found a bug:
When the Http::One::Server::writeControlMsgAndCall
The following sequence of events triggers this assertion:
- The server sends an 1xx control message.
- http.cc schedules ConnStateData::sendControlMsg call.
- Before sendControlMsg is fired, http.cc detects an error (e.g., I/O
error or timeout) and starts writing the reply to the user.
-
On 11/11/2016 06:36 PM, Christos Tsantilas wrote:
The patch applied to trunk as r14936 and r14937.
I mean applied to "squid-5".
I am attaching a patch for squid-3.5 release.
On 11/11/2016 07:37 AM, Amos Jeffries wrote:
On 11/11/2016 6:03 a.m., Christos Tsantilas wrote:
The patch applied to trunk as r14936 and r14937.
I am attaching a patch for squid-3.5 release.
On 11/11/2016 07:37 AM, Amos Jeffries wrote:
On 11/11/2016 6:03 a.m., Christos Tsantilas wrote:
Added nil dereference checks for Ftp::Client::ctrl.conn, including:
- Ftp::Client::handlePasvReply
Added nil dereference checks for Ftp::Client::ctrl.conn, including:
- Ftp::Client::handlePasvReply() and handleEpsvReply() that dereference
ctrl.conn in DBG_IMPORTANT messages.
- Many functions inside FtpClient.cc and FtpGateway.cc files.
TODO: We need to find a better way to handle nil
::startPeekAndSpliceDone() to one method.
This is possible because the r14898 and this patch removes any extra
call from old startPeekAndSplice method.
I am attaching the final patch as t11.
On 11/02/2016 12:59 AM, Amos Jeffries wrote:
On 2/11/2016 4:31 a.m., Christos Tsantilas wrote:
On 10/28
On 10/28/2016 01:11 PM, Amos Jeffries wrote:
On 21/10/2016 3:55 a.m., Christos Tsantilas wrote:
Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.
Use case: Skype groups appear to use TLS-encrypted MSNP protocol instead
of HTTPS. This change allows Squid admins using SslBump
On 10/28/2016 01:11 PM, Amos Jeffries wrote:
On 21/10/2016 3:55 a.m., Christos Tsantilas wrote:
Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.
Use case: Skype groups appear to use TLS-encrypted MSNP protocol instead
of HTTPS. This change allows Squid admins using SslBump
Patch applied to trunk as r14898.
I am attaching the squid-3.5 version of the patch.
On 10/27/2016 12:46 AM, Amos Jeffries wrote:
On 21/10/2016 5:18 a.m., Christos Tsantilas wrote:
The original server_name code mishandled all SNI checks and some rare
host checks:
* The SNI-derived value
On 10/25/2016 02:40 PM, Amos Jeffries wrote:
On 25/10/2016 11:54 p.m., Dave Lewthwaite wrote:
Hi,
We are running into an issue that has come up a few times on the mailing lists
- host header forgery detection when using SSL peek in order to include SNI
logging in access logs. (Clients
The original server_name code mishandled all SNI checks and some rare
host checks:
* The SNI-derived value was pointing to an already freed memory storage.
* Missing host-derived values were not detected (host() is never nil).
* Mismatches were re-checked with an undocumented "none" value
I am attaching new patch.
On 10/19/2016 07:13 PM, Alex Rousskov wrote:
On 10/19/2016 08:49 AM, Christos Tsantilas wrote:
I am attaching a new patch.
I would like to discuss two issues:
* Logging of scheme-less URLs
This is defines a new proto the PROTO_TCP, and for this prints the url
On 10/19/2016 07:13 PM, Alex Rousskov wrote:
On 10/19/2016 08:49 AM, Christos Tsantilas wrote:
I am attaching a new patch.
I would like to discuss two issues:
* Logging of scheme-less URLs
This is defines a new proto the PROTO_TCP, and for this prints the url
in the form host:port
Tsantilas wrote:
On 10/17/2016 05:42 PM, Alex Rousskov wrote:
On 10/17/2016 01:57 AM, Christos Tsantilas wrote:
On 10/14/2016 02:30 PM, Marcus Kool wrote:
Squid sends the following line to the URL rewriter:
(unknown)://173.194.76.188:443 / - NONE
Squid generates internally request to serve
Hi all,
Is it valid to use template methods inside normal classes for squid?
I know they are working, I am just asking if it is acceptable by squid
policy.
Regards,
Christos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
On 10/17/2016 05:42 PM, Alex Rousskov wrote:
On 10/17/2016 01:57 AM, Christos Tsantilas wrote:
On 10/14/2016 02:30 PM, Marcus Kool wrote:
Squid sends the following line to the URL rewriter:
(unknown)://173.194.76.188:443 / - NONE
Squid generates internally request to serve the non-HTTP
proposals for better handling these cases.
Regards,
Christos
Marcus
Quoting Christos Tsantilas <chris...@chtsanti.net>:
Use case: Skype groups appear to use TLS-encrypted MSNP protocol
instead of HTTPS. This change allows Squid admins using SslBump to
tunnel Skype groups and similar
Use case: Skype groups appear to use TLS-encrypted MSNP protocol instead
of HTTPS. This change allows Squid admins using SslBump to tunnel Skype
groups and similar non-HTTP traffic bytes via "on_unsupported_protocol
tunnel all". Previously, the combination resulted in encrypted HTTP 400
(Bad
On 09/09/2016 10:26 PM, Alex Rousskov wrote:
On 09/09/2016 11:21 AM, Christos Tsantilas wrote:
On 09/09/2016 07:00 PM, Alex Rousskov wrote:
On 09/09/2016 07:34 AM, Christos Tsantilas wrote:
On 09/09/2016 02:21 PM, Amos Jeffries wrote:
Also the IndependentRunner::registerRunner() method
On 09/09/2016 07:00 PM, Alex Rousskov wrote:
On 09/09/2016 07:34 AM, Christos Tsantilas wrote:
On 09/09/2016 02:21 PM, Amos Jeffries wrote:
These issues are caused by the new RegisterRunner() design using
GetRidOfRunner(rr) if shutdown has already begun. That can potentially
result
On 09/09/2016 02:21 PM, Amos Jeffries wrote:
These issues are caused by the new RegisterRunner() design using
GetRidOfRunner(rr) if shutdown has already begun. That can potentially
result in the constructor of a class inheriting from IndependentRunner
deleting 'this', then the new'd object being
Patch applied to trunk as r14825 with the requested changes.
On 09/07/2016 05:56 PM, Amos Jeffries wrote:
On 7/09/2016 9:44 p.m., Christos Tsantilas wrote:
A preview of this patch originally discussed under the "[PATCH] Bug 4430
Squid crashes on shutdown while cleaning up idle ICAP connec
A preview of this patch originally discussed under the "[PATCH] Bug 4430
Squid crashes on shutdown while cleaning up idle ICAP connections" mail
thread on squid-dev:
http://lists.squid-cache.org/pipermail/squid-dev/2016-March/005214.html
We fixed the patch so I hope it handles most of the
On 09/06/2016 07:29 AM, Amos Jeffries wrote:
On 25/08/2016 3:31 a.m., Christos Tsantilas wrote:
When comparing the requested domain name with a certificate Common Name,
Squid expanded wildcard to cover more than one domain name label (a.k.a
component), violating RFC 2818 requirement[1
If no any objection I will apply this patch to trunk.
On 08/24/2016 06:31 PM, Christos Tsantilas wrote:
When comparing the requested domain name with a certificate Common Name,
Squid expanded wildcard to cover more than one domain name label (a.k.a
component), violating RFC 2818 requirement[1
When comparing the requested domain name with a certificate Common Name,
Squid expanded wildcard to cover more than one domain name label (a.k.a
component), violating RFC 2818 requirement[1]. For example, Squid
thought that wrong.host.example.com matched a *.example.com CN.
[1] "the
wrote:
On 28/07/2016 1:38 a.m., Amos Jeffries wrote:
On 28/07/2016 1:26 a.m., Christos Tsantilas wrote:
On 07/27/2016 04:12 PM, Amos Jeffries wrote:
Ping. Can this be applied soon please?
I delay applying this patch because of the "crash after r14735" issue
which does not allow me to
On 07/19/2016 09:52 AM, Amos Jeffries wrote:
On 18/07/2016 11:12 p.m., Christos Tsantilas wrote:
On 07/16/2016 03:56 PM, Amos Jeffries wrote:
On 16/07/2016 7:02 a.m., Alex Rousskov wrote:
Hello,
There are two more recent changes that broke trunk:
* After r14735 (Replaced TidyPointer
On 07/20/2016 04:42 PM, Amos Jeffries wrote:
On 16/07/2016 2:08 a.m., Christos Tsantilas wrote:
A new patch.
It also includes the following fixes:
- Sets the log_uri for ClientHttpRequest build by Downloader
- Removes two XXX comments from PeerConnector class, which are not
valid any
On 07/18/2016 08:32 PM, Alex Rousskov wrote:
On 07/18/2016 08:49 AM, Christos Tsantilas wrote:
On 07/18/2016 02:12 PM, Christos Tsantilas wrote:
On 07/16/2016 03:56 PM, Amos Jeffries wrote:
On 16/07/2016 7:02 a.m., Alex Rousskov wrote:
* After r14726 (GnuTLS: support for TLS session resume
On 07/18/2016 02:12 PM, Christos Tsantilas wrote:
On 07/16/2016 03:56 PM, Amos Jeffries wrote:
On 16/07/2016 7:02 a.m., Alex Rousskov wrote:
* After r14726 (GnuTLS: support for TLS session resume): Squid segfaults
when attempting to connect to a Secure ICAP service. Official Squid
v4.0.12
On 07/16/2016 03:56 PM, Amos Jeffries wrote:
On 16/07/2016 7:02 a.m., Alex Rousskov wrote:
Hello,
There are two more recent changes that broke trunk:
* After r14735 (Replaced TidyPointer with std::unique_ptr), Squid cannot
start due to an "std::bad_function_call" exception.
* After
On 07/15/2016 12:59 AM, Alex Rousskov wrote:
On 07/13/2016 10:48 AM, Christos Tsantilas wrote:
On 07/11/2016 10:13 PM, Alex Rousskov wrote:
On 07/11/2016 10:18 AM, Christos Tsantilas wrote:
+SBuf object;
+Http::StatusCode status;
+};
If you can make Downloader::CbDialer
A new patch.
It also includes the following fixes:
- Sets the log_uri for ClientHttpRequest build by Downloader
- Removes two XXX comments from PeerConnector class, which are not
valid any more
- Make the Downloader::CbDialer a CallDialer kid.
Please also see my comments bellow.
On
On 07/15/2016 11:14 AM, Amos Jeffries wrote:
Or when we need some certainty about what the size of the data field
actually is.
Side track: For sizes of payload objects we should be centering on
uint64_t to handle the large objects instead of size_t or int which
can't handle them.
This
On 07/11/2016 10:13 PM, Alex Rousskov wrote:
On 07/11/2016 10:18 AM, Christos Tsantilas wrote:
+/// The maximum allowed object size.
+static const size_t MaxObjectSize = 1*1024*1024;
+bool existingContent = reply ? reply->content_length : 0;
+bool exceedS
On 07/11/2016 07:53 PM, Alex Rousskov wrote:
On 07/11/2016 10:18 AM, Christos Tsantilas wrote:
This patch includes a Downloader class which implemented as independent
AsyncJob class (in the initial patch was a ConnStateData kid).
Currently runs an other related discussion under the mail thread
Patch description
~~~
Many web servers do not have complete certificate chains. Many browsers
use certificate extensions of the server certificate and download the
missing intermediate certificates automatically from the Internet.
This patch add this feature to Squid.
The
On 07/07/2016 10:22 PM, Alex Rousskov wrote:
On 07/06/2016 10:52 PM, Amos Jeffries wrote:
On 7/07/2016 10:24 a.m., Alex Rousskov wrote:
Q2. Where does the pending Downloader class belong?
In overview I think if we have a good Downloader design those other
things and ESIInclude should
On 06/22/2016 04:02 AM, Alex Rousskov wrote:
I have attached a list of relevant trunk calls. It may be incomplete.
I run over the list to check for problems.
Also I checked the resetAndLock calls, looks ok.
However the true is that the reset/resetAndLock scheme for
lockingPointer is
On 06/22/2016 02:29 PM, Amos Jeffries wrote:
On 22/06/2016 10:42 p.m., Christos Tsantilas wrote:
On 06/22/2016 07:32 AM, Amos Jeffries wrote:
On 22/06/2016 1:02 p.m., Alex Rousskov wrote:
On 06/21/2016 04:00 AM, Amos Jeffries wrote:
...
In the patch I'm working on now its looking very much
On 06/22/2016 07:32 AM, Amos Jeffries wrote:
On 22/06/2016 1:02 p.m., Alex Rousskov wrote:
On 06/21/2016 04:00 AM, Amos Jeffries wrote:
The two I saw were:
1) PeekingPeerConnector::handleServerCertificate() doing
serverBump->serverCert.reset(serverCert.release())
On much closer inspection
1 - 100 of 169 matches
Mail list logo