Re: [squid-dev] OpenSSL 3.0 support at last

On 23/7/20 7:08 π.μ., Amos Jeffries wrote: Hi guys, OpenSSL 3.0 with their new GPL compatible license is becoming available now in Debian and that means we can finally auto-enable all OpenSSL features when building against that version. I am starting test build now to see how much breakage we

Re: [squid-dev] squid master build with alternate openssl fails

On 8/5/20 5:50 μ.μ., Amos Jeffries wrote: Does this change resolve the issue for you? It is a step but this is not enough. I am attaching a patch which finally solved the issue. However still it is not enough, there are other similar cases need to be fixed in squid-util.m4 and probably in

[squid-dev] squid master build with alternate openssl fails

Hi all, Squid master 699ade2d fails to build with an alternate OpenSsl, when the "--with-openssl=/path/to/openssl" is used. I think that the issue added with the commit 245314010. Example build output: g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"/usr/local/squid3-cvs/etc/squid.conf\"

Re: [squid-dev] New patches and squid-v4

Στις 17/11/2017 07:45 μμ, ο Alex Rousskov έγραψε: On 11/17/2017 10:06 AM, Christos Tsantilas wrote: For any mew patch, we are building a git-PR for merging it to squid-5/master. Should we make a git-PR for squid-4 too (and squid-3.5)? Or the squid-4 maintainer is responsible to extract

[squid-dev] New patches and squid-v4

Hi all, I am a little confused about the procedure I should follow for applying patches to squid, specially for patches which should be included to squid-4. For any mew patch, we are building a git-PR for merging it to squid-5/master. Should we make a git-PR for squid-4 too (and

Re: [squid-dev] [PATCH] Reuse reserved Negotiate and NTLM helpers after an idle timeout.

I made the PR #59 for this patch. We can do any discussion here. Regards, Christos Στις 27/07/2017 09:52 πμ, ο Christos Tsantilas έγραψε: The patch. Στις 26/07/2017 12:37 μμ, ο Christos Tsantilas έγραψε: Squid can be killed or maimed by enough clients that start multi-step connection

Re: [squid-dev] [PATCH] Reuse reserved Negotiate and NTLM helpers after an idle timeout.

Στις 05/08/2017 09:52 πμ, ο Amos Jeffries έγραψε: On 01/08/17 04:40, Alex Rousskov wrote: On 07/31/2017 09:24 AM, Amos Jeffries wrote: To do so otherwise would randomly allow replay attacks to succeed Please give a specific example where the proposed changes would allow a new kind of replay

Re: [squid-dev] [PATCH] Reuse reserved Negotiate and NTLM helpers after an idle timeout.

Στις 30/07/2017 06:48 πμ, ο Amos Jeffries έγραψε: On 27/07/17 18:52, Christos Tsantilas wrote: The patch. Στις 26/07/2017 12:37 μμ, ο Christos Tsantilas έγραψε: Squid can be killed or maimed by enough clients that start multi-step connection authentication but never follow up with the second

Re: [squid-dev] [PATCH] Reuse reserved Negotiate and NTLM helpers after an idle timeout.

The patch. Στις 26/07/2017 12:37 μμ, ο Christos Tsantilas έγραψε: Squid can be killed or maimed by enough clients that start multi-step connection authentication but never follow up with the second HTTP request while keeping their HTTP connection open. Affected helpers remain in the "res

[squid-dev] [PATCH] Reuse reserved Negotiate and NTLM helpers after an idle timeout.

Squid can be killed or maimed by enough clients that start multi-step connection authentication but never follow up with the second HTTP request while keeping their HTTP connection open. Affected helpers remain in the "reserved" state and cannot be reused for other clients. Observed helper

[squid-dev] [PATCH] Fix SSL certificate cache refresh and collision handling.

SslBump was ignoring origin server certificate changes and using the previously cached fake certificate (mimicking now-stale properties). Also, Squid was not detecting key collisions inside certificate caches. On-disk certificate cache fixes: - Use the original certificate signature instead

Re: [squid-dev] [PATCH] Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions.

also attaching the patches for squid-3.5 and squid-4. The squid-3.5 patch passes the HttpRequest::Pointer as parameter to the ConnStateData::pinConnection method. Στις 23/06/2017 12:53 μμ, ο Christos Tsantilas έγραψε: A new patch Στις 21/06/2017 08:07 μμ, ο Alex Rousskov έγραψε: On 06/21/2017

Re: [squid-dev] [PATCH] Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions.

A new patch Στις 21/06/2017 08:07 μμ, ο Alex Rousskov έγραψε: On 06/21/2017 05:40 AM, Christos Tsantilas wrote: I suggest the following one or two polishing touches: 1. Merge pinConnection() and pinNewConnection() by returning from the method if there is nothing to do, with a debugs() line

[squid-dev] [PATCH] Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions.

* Protect Squid Client classes from new requests that compete with ongoing pinned connection use and * resume dealing with new requests when those Client classes are done using the pinned connection. Replaced primary ConnStateData::pinConnection() calls with a pair of pinBusyConnection()

Re: [squid-dev] src/forward.h

Στις 20/06/2017 01:59 πμ, ο Alex Rousskov έγραψε: revno: 15212 committer: Amos Jeffries branch nick: 5 timestamp: Tue 2017-06-20 01:53:03 +1200 message: Fix build errors with automake after rev.15194 We cannot name files in src/ the same as files in

Re: [squid-dev] [PATCH] Collapse security_file_certgen requests.

Στις 10/06/2017 03:32 μμ, ο Amos Jeffries έγραψε: On 09/06/17 02:52, Christos Tsantilas wrote: Concurrent identical same-worker security_file_certgen (a.k.a. ssl_crtd) requests are collapsed: The first such request goes through to one of the helpers while others wait for that first request

Re: [squid-dev] [PATCH] ssl::server_name options to control matching logic.

patch applied to squid-5 as r15189, with the requested fixes. Στις 31/05/2017 05:56 μμ, ο Alex Rousskov έγραψε: On 05/30/2017 10:58 PM, Amos Jeffries wrote: On 26/05/17 22:08, Christos Tsantilas wrote: --consensus allows matching a part of the conglomerate when the part's subject name

Re: [squid-dev] [PATCH] Adds support for --long-acl-options

Patch applied to trunk as r15188 with the requested fixes. Στις 10/06/2017 04:30 μμ, ο Amos Jeffries έγραψε: On 24/05/17 20:31, Christos Tsantilas wrote: Adds support for --long-acl-options This patch adds support for --long-acl-options. The old single-letter ACL "flags" code was

[squid-dev] [PATCH] Collapse security_file_certgen requests.

Concurrent identical same-worker security_file_certgen (a.k.a. ssl_crtd) requests are collapsed: The first such request goes through to one of the helpers while others wait for that first request to complete, successfully or otherwise. This optimization helps dealing with flash crowds that

[squid-dev] [PATCH] transaction_initiator ACL for detecting various unusual transactions

This ACL is essential in several use cases, including: * After fetching a missing intermediate certificate, Squid uses the regular cache (and regular caching rules) to store the response. Squid deployments that do not want to cache regular traffic need to cache fetched certificates and only

[squid-dev] [PATCH] ssl::server_name options to control matching logic.

This patch uses the the "--long-options" ACLs feature which posted to squid-dev under the mailthread: "PATCH] Adds support for --long-acl-options" Patch description: Many popular servers use certificates with several "alternative subject names" (SubjectAltName). Many of those names are

Re: [squid-dev] OpenSSL 1.1 regression

On 19/05/2017 07:19 μμ, Christos Tsantilas wrote: The t4 patch I committed this patch to squid-5 as r15152. On 19/05/2017 12:27 πμ, Amos Jeffries wrote: On 19/05/17 04:04, Christos Tsantilas wrote: On 18/05/2017 03:40 μμ, Amos Jeffries wrote: On 18/05/17 23:12, Christos Tsantilas wrote

Re: [squid-dev] OpenSSL 1.1 regression

The t4 patch On 19/05/2017 12:27 πμ, Amos Jeffries wrote: On 19/05/17 04:04, Christos Tsantilas wrote: On 18/05/2017 03:40 μμ, Amos Jeffries wrote: On 18/05/17 23:12, Christos Tsantilas wrote: +# check for API functions +AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [AC_DEFINE

Re: [squid-dev] OpenSSL 1.1 regression

On 18/05/2017 06:05 μμ, Alex Rousskov wrote: On 05/18/2017 05:12 AM, Christos Tsantilas wrote: Agrr... Using the openSSL version was the faster/easier way. Touching autoconf may result to 2-3 full squid rebuilds to implement/test similar fixes. The alternative is to convince others

Re: [squid-dev] OpenSSL 1.1 regression

On 18/05/2017 03:40 μμ, Amos Jeffries wrote: On 18/05/17 23:12, Christos Tsantilas wrote: +# check for API functions +AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate is available])], []) + This bit seems to be correct

Re: [squid-dev] OpenSSL 1.1 regression

On 18/05/2017 03:12 μμ, Amos Jeffries wrote: On 18/05/17 23:12, Christos Tsantilas wrote: On 17/05/2017 07:56 μμ, Alex Rousskov wrote: On 05/17/2017 10:35 AM, Christos Tsantilas wrote: +#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) +X509 * cert = SSL_CTX_get0_certificate(ctx.

Re: [squid-dev] OpenSSL 1.1 regression

On 17/05/2017 07:56 μμ, Alex Rousskov wrote: On 05/17/2017 10:35 AM, Christos Tsantilas wrote: +#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) +X509 * cert = SSL_CTX_get0_certificate(ctx.get()); If it is possible to replace this version check with a ./configure-time detect

Re: [squid-dev] OpenSSL 1.1 regression

On 16/05/2017 03:04 μμ, Amos Jeffries wrote: Building Squid-5 r15136 against the latest libssl 1.1.0e on Ubuntu. src/ssl/support.cc: In function ‘bool Ssl::verifySslCertificate(Security::ContextPointer&, const Ssl::CertificateProperties&)’: src/ssl/support.cc:995:34: error: invalid use of

Re: [squid-dev] OpenSSL 1.1 regression

On 16/05/2017 03:04 μμ, Amos Jeffries wrote: Building Squid-5 r15136 against the latest libssl 1.1.0e on Ubuntu. src/ssl/support.cc: In function ‘bool Ssl::verifySslCertificate(Security::ContextPointer&, const Ssl::CertificateProperties&)’: src/ssl/support.cc:995:34: error: invalid use of

Re: [squid-dev] [PATCH] Second adaptation missing for CONNECTs

Applied as r15121 to squid-5 branch. On 14/04/2017 02:02 μμ, Amos Jeffries wrote: On 14/04/2017 1:10 a.m., Christos Tsantilas wrote: If there are not objections I will apply this patch to squid-5 branch I'm not seeing anything obviously wrong with it and its past the 10-day criteria. So

Re: [squid-dev] [PATCH] Second adaptation missing for CONNECTs

If there are not objections I will apply this patch to squid-5 branch On 31/03/2017 04:21 μμ, Christos Tsantilas wrote: Hi all, Squid does not send CONNECT request to adaptation services if the "ssl_bump splice" rule matched at step 2. This adaptation is important because the CONNE

[squid-dev] [PATCH] Second adaptation missing for CONNECTs

Hi all, Squid does not send CONNECT request to adaptation services if the "ssl_bump splice" rule matched at step 2. This adaptation is important because the CONNECT request gains SNI information during the second SslBump step. This is a regression bug, possibly caused by the Squid bug 4529

Re: [squid-dev] [PATCH] Bump SSL client on [more] errors encountered before ssl_bump evaluation

/2017 06:38 μμ, Amos Jeffries wrote: On 7/02/2017 11:12 p.m., Christos Tsantilas wrote: On 07/02/2017 11:43 πμ, Amos Jeffries wrote: On 7/02/2017 6:07 a.m., Christos Tsantilas wrote: Applied to trunk as r15036. I am attaching the patch for squid-3.5 On 04/02/2017 04:07 μμ, Amos Jeffries wrote

Re: [squid-dev] [PATCH] Bump SSL client on [more] errors encountered before ssl_bump evaluation

On 07/02/2017 11:43 πμ, Amos Jeffries wrote: On 7/02/2017 6:07 a.m., Christos Tsantilas wrote: Applied to trunk as r15036. I am attaching the patch for squid-3.5 On 04/02/2017 04:07 μμ, Amos Jeffries wrote: On 4/02/2017 8:27 a.m., Christos Tsantilas wrote: ... such as ERR_ACCESS_DENIED

Re: [squid-dev] [PATCH] Bump SSL client on [more] errors encountered before ssl_bump evaluation

Applied to trunk as r15036. I am attaching the patch for squid-3.5 On 04/02/2017 04:07 μμ, Amos Jeffries wrote: On 4/02/2017 8:27 a.m., Christos Tsantilas wrote: ... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an http_access deny rule match. The old code allowed ssl_bump

[squid-dev] [PATCH] Bump SSL client on [more] errors encountered before ssl_bump evaluation

... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an http_access deny rule match. The old code allowed ssl_bump step1 rules to be evaluated in the presence of an error. An ssl_bump splicing decision would then trigger the useless "send the error to the client now" processing

Re: [squid-dev] [PATCH] initial GnuTLS support for encrypted server connections

On 02/02/2017 03:16 πμ, Alex Rousskov wrote: On 02/01/2017 01:42 PM, Christos Tsantilas wrote: must take in account that some openSSL calls returns locket objects, and some other unlocked objects. Does the patch start using shared pointers for any objects in the second, "returned unl

Re: [squid-dev] [PATCH] initial GnuTLS support for encrypted server connections

On 19/01/2017 09:11 μμ, Alex Rousskov wrote: Does the patched code continue to work well with OpenSSL? You have not answered this question. Please do not commit these changes until the OpenSSL build is tested. Amos, asks me to make some tests if I have time. I make some simple tests with

Re: [squid-dev] [PATCH] annotate_transaction ACL

The adjusted patch which implements the new acls applied to squid-5 as r15024 and r15026. The patch which fixed Auth::UserRequest::denyMessage() method applied to squid-5 as r15025 On 27/01/2017 08:05 μμ, Alex Rousskov wrote: On 01/27/2017 10:39 AM, Christos Tsantilas wrote: Which

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

The patch applied to squid-5 as r15020 with the fixes suggested by Alex. I am attaching the equivalent patch for squid-3.5. On 25/01/2017 11:42 μμ, Alex Rousskov wrote: On 01/25/2017 12:12 PM, Christos Tsantilas wrote: On 25/01/2017 08:24 μμ, Alex Rousskov wrote: * A client-sent ClientHello

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

On 25/01/2017 08:24 μμ, Alex Rousskov wrote: On 01/16/2017 04:38 AM, Christos Tsantilas wrote: On 13/01/2017 07:04 μμ, Alex Rousskov wrote: The dependency here is that clientHelloMessage comes from our parser. We can substitute OpenSSL-generated ClientHello with client-sent ClientHello because

Re: [squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

The patches r15016 and r15017 requires to allow make check/distcheck work in some platoforms. I am attaching a new patch for squid-3.5. On 24/01/2017 02:55 μμ, Christos Tsantilas wrote: The t3 patch applied to squid-5 as r15014 I am also attaching the patch for squid-3.5. On 23/01/2017 03

Re: [squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

The t3 patch applied to squid-5 as r15014 I am also attaching the patch for squid-3.5. On 23/01/2017 03:52 μμ, Amos Jeffries wrote: On 23/01/2017 11:04 p.m., Christos Tsantilas wrote: On 22/01/2017 07:11 μμ, Amos Jeffries wrote: On 23/01/2017 1:03 a.m., Christos Tsantilas wrote

Re: [squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

On 22/01/2017 07:11 μμ, Amos Jeffries wrote: On 23/01/2017 1:03 a.m., Christos Tsantilas wrote: There is a well-known DoS attack using client-initiated SSL/TLS renegotiation. The severity or uniqueness of this attack method is disputed, but many believe it is serious/real. There is even

[squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

There is a well-known DoS attack using client-initiated SSL/TLS renegotiation. The severity or uniqueness of this attack method is disputed, but many believe it is serious/real. There is even a (disputed) CVE 2011-1473: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473 The old

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

I am attaching a new patch based on Alex comments. I also changed the patch preamble a little to much better what squid does. Please see my comments bellow. On 13/01/2017 07:04 μμ, Alex Rousskov wrote: On 01/12/2017 02:28 PM, Christos Tsantilas wrote: On 12/01/2017 06:48 μμ, Alex Rousskov

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

On 12/01/2017 06:48 μμ, Alex Rousskov wrote: On 01/12/2017 08:35 AM, Christos Tsantilas wrote: The patch fixes Squid to peeks (or stares) at the origin server as configured, even if it does not recognize the client TLS record/message. s/to peeks (or stares)/to peek (or stare)/ I agree

[squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

If Squid receives a valid TLS Hello encapsulated into ancient SSLv2 records (observed on Solaris 10) the old code ignored the step2 peek decision and bumped the transaction instead. The patch fixes Squid to peeks (or stares) at the origin server as configured, even if it does not recognize

Re: [squid-dev] [PATCH] Reduce crashes due to unexpected ClientHttpRequest termination.

On 11/01/2017 04:50 μμ, Amos Jeffries wrote: On 11/01/2017 10:55 p.m., Christos Tsantilas wrote: We observed such problems on squid shutdown procedure and during regular squid operation. Any clientStreams redesign should take care of such problems. The underlying problem has been known since

[squid-dev] [PATCH] Reduce crashes due to unexpected ClientHttpRequest termination.

We observed such problems on squid shutdown procedure and during regular squid operation. Any clientStreams redesign should take care of such problems. The underlying problem has been known since r13480: If a ClientHttpRequest job ends without Http::Stream (and ConnStateData) knowledge, then

[squid-dev] [PATCH] External ACL helpers error handling & caching

The helper protocol for external ACLs [1] defines three possible return values: OK - Success. ACL test matches. ERR - Success. ACL test fails to match. BH - Failure. The helper encountered a problem. The external acl helpers distributed with squid currently doesn't follow this

Re: [squid-dev] Broken SSL build

The unstable debian should use openssl-1.1.0 releases. This is the bug 4599. We had make some progress on supporting openSSL-1.1.0, also I am having in my laptop some more fixes, but it is not finished yet. On 08/12/2016 08:07 μμ, Alex Rousskov wrote: Hello, Jenkins has been

Re: [squid-dev] g++ 4.8.x and std::regex poblems

On 29/11/2016 09:46 μμ, Amos Jeffries wrote: I'm thinking it might be useful to add a how-to in the release notes for v4+ to make the compiler update easier. Would you be able to write that now that you have gone through the process? I upgraded to newer OS, not just the compiler :-). It is

Re: [squid-dev] g++ 4.8.x and std::regex problems

On 29/11/2016 04:29 πμ, Amos Jeffries wrote: Please note that GCC 4.8 is not capable of building correctly operating Squid-4 either. So its not a matter of GCC 4.8 vs Squid. The 4.8 does not have any problem. I was doing all of my developments and tests using GCC-4.8 and never found a

Re: [squid-dev] g++ 4.8.x and std::regex problems

On 11/25/2016 03:39 PM, Amos Jeffries wrote: If you want to look at legality; Part of the LTS contract is that software feature changes are *not* done. The clients have chosen to make that a requirement. The OS distributors have chosen to meet it. Nothing to do with what Squid Project does in

[squid-dev] g++ 4.8.x and std::regex problems

Hi all, I have problems to run latest squid-5. The reason looks that it is the r14954, which removes old GnuRegex and uses the std::regex API. The std::regex supported from gcc-4.9 and latest releases and I am still using an gcc-4.8.4 on my kubuntu-14.04 LTS release. OK, I can upgrade to

Re: [squid-dev] [PATCH] Fixed Write.cc:41 "!ccb->active()" assertion

I am also attaching the t4 patch for squid-3.5. This is include all fixes. On 11/16/2016 04:43 PM, Christos Tsantilas wrote: If no objection I will apply this patch to trunk. On 11/16/2016 02:35 PM, Amos Jeffries wrote: On 16/11/2016 12:58 a.m., Christos Tsantilas wrote: Hi all, I

Re: [squid-dev] [PATCH] Fixed Write.cc:41 "!ccb->active()" assertion

If no objection I will apply this patch to trunk. On 11/16/2016 02:35 PM, Amos Jeffries wrote: On 16/11/2016 12:58 a.m., Christos Tsantilas wrote: Hi all, I applied the patch as r14945 with an r14946 fix. Unfortunately while I was testing the Squid-3.5 variant of the patch I found a bug

Re: [squid-dev] [PATCH] Fixed Write.cc:41 "!ccb->active()" assertion

On 11/16/2016 02:35 PM, Amos Jeffries wrote: On 16/11/2016 12:58 a.m., Christos Tsantilas wrote: Hi all, I applied the patch as r14945 with an r14946 fix. Unfortunately while I was testing the Squid-3.5 variant of the patch I found a bug: When the Http::One::Server::writeControlMsgAndCall

[squid-dev] [PATCH] Fixed Write.cc:41 "!ccb->active()" assertion

The following sequence of events triggers this assertion: - The server sends an 1xx control message. - http.cc schedules ConnStateData::sendControlMsg call. - Before sendControlMsg is fired, http.cc detects an error (e.g., I/O error or timeout) and starts writing the reply to the user. -

Re: [squid-dev] [PATCH] Segfault via Ftp::Client::readControlReply.

On 11/11/2016 06:36 PM, Christos Tsantilas wrote: The patch applied to trunk as r14936 and r14937. I mean applied to "squid-5". I am attaching a patch for squid-3.5 release. On 11/11/2016 07:37 AM, Amos Jeffries wrote: On 11/11/2016 6:03 a.m., Christos Tsantilas wrote:

Re: [squid-dev] [PATCH] Segfault via Ftp::Client::readControlReply.

The patch applied to trunk as r14936 and r14937. I am attaching a patch for squid-3.5 release. On 11/11/2016 07:37 AM, Amos Jeffries wrote: On 11/11/2016 6:03 a.m., Christos Tsantilas wrote: Added nil dereference checks for Ftp::Client::ctrl.conn, including: - Ftp::Client::handlePasvReply

[squid-dev] [PATCH] Segfault via Ftp::Client::readControlReply.

Added nil dereference checks for Ftp::Client::ctrl.conn, including: - Ftp::Client::handlePasvReply() and handleEpsvReply() that dereference ctrl.conn in DBG_IMPORTANT messages. - Many functions inside FtpClient.cc and FtpGateway.cc files. TODO: We need to find a better way to handle nil

Re: [squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

::startPeekAndSpliceDone() to one method. This is possible because the r14898 and this patch removes any extra call from old startPeekAndSplice method. I am attaching the final patch as t11. On 11/02/2016 12:59 AM, Amos Jeffries wrote: On 2/11/2016 4:31 a.m., Christos Tsantilas wrote: On 10/28

Re: [squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

On 10/28/2016 01:11 PM, Amos Jeffries wrote: On 21/10/2016 3:55 a.m., Christos Tsantilas wrote: Support tunneling of bumped non-HTTP traffic. Other SslBump fixes. Use case: Skype groups appear to use TLS-encrypted MSNP protocol instead of HTTPS. This change allows Squid admins using SslBump

Re: [squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

On 10/28/2016 01:11 PM, Amos Jeffries wrote: On 21/10/2016 3:55 a.m., Christos Tsantilas wrote: Support tunneling of bumped non-HTTP traffic. Other SslBump fixes. Use case: Skype groups appear to use TLS-encrypted MSNP protocol instead of HTTPS. This change allows Squid admins using SslBump

Re: [squid-dev] [PATCH] ssl::server_name ACL badly broken since inception (trunk r14008).

Patch applied to trunk as r14898. I am attaching the squid-3.5 version of the patch. On 10/27/2016 12:46 AM, Amos Jeffries wrote: On 21/10/2016 5:18 a.m., Christos Tsantilas wrote: The original server_name code mishandled all SNI checks and some rare host checks: * The SNI-derived value

Re: [squid-dev] Host header forgery detection when peeking for SNI

On 10/25/2016 02:40 PM, Amos Jeffries wrote: On 25/10/2016 11:54 p.m., Dave Lewthwaite wrote: Hi, We are running into an issue that has come up a few times on the mailing lists - host header forgery detection when using SSL peek in order to include SNI logging in access logs. (Clients

[squid-dev] [PATCH] ssl::server_name ACL badly broken since inception (trunk r14008).

The original server_name code mishandled all SNI checks and some rare host checks: * The SNI-derived value was pointing to an already freed memory storage. * Missing host-derived values were not detected (host() is never nil). * Mismatches were re-checked with an undocumented "none" value

Re: [squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

I am attaching new patch. On 10/19/2016 07:13 PM, Alex Rousskov wrote: On 10/19/2016 08:49 AM, Christos Tsantilas wrote: I am attaching a new patch. I would like to discuss two issues: * Logging of scheme-less URLs This is defines a new proto the PROTO_TCP, and for this prints the url

Re: [squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

On 10/19/2016 07:13 PM, Alex Rousskov wrote: On 10/19/2016 08:49 AM, Christos Tsantilas wrote: I am attaching a new patch. I would like to discuss two issues: * Logging of scheme-less URLs This is defines a new proto the PROTO_TCP, and for this prints the url in the form host:port

Re: [squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

Tsantilas wrote: On 10/17/2016 05:42 PM, Alex Rousskov wrote: On 10/17/2016 01:57 AM, Christos Tsantilas wrote: On 10/14/2016 02:30 PM, Marcus Kool wrote: Squid sends the following line to the URL rewriter: (unknown)://173.194.76.188:443 / - NONE Squid generates internally request to serve

[squid-dev] Template methods inside normal classes

Hi all, Is it valid to use template methods inside normal classes for squid? I know they are working, I am just asking if it is acceptable by squid policy. Regards, Christos ___ squid-dev mailing list squid-dev@lists.squid-cache.org

Re: [squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

On 10/17/2016 05:42 PM, Alex Rousskov wrote: On 10/17/2016 01:57 AM, Christos Tsantilas wrote: On 10/14/2016 02:30 PM, Marcus Kool wrote: Squid sends the following line to the URL rewriter: (unknown)://173.194.76.188:443 / - NONE Squid generates internally request to serve the non-HTTP

Re: [squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

proposals for better handling these cases. Regards, Christos Marcus Quoting Christos Tsantilas <chris...@chtsanti.net>: Use case: Skype groups appear to use TLS-encrypted MSNP protocol instead of HTTPS. This change allows Squid admins using SslBump to tunnel Skype groups and similar

[squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

Use case: Skype groups appear to use TLS-encrypted MSNP protocol instead of HTTPS. This change allows Squid admins using SslBump to tunnel Skype groups and similar non-HTTP traffic bytes via "on_unsupported_protocol tunnel all". Previously, the combination resulted in encrypted HTTP 400 (Bad

Re: [squid-dev] New Defects reported by Coverity Scan for Squid after IndependentRunner

On 09/09/2016 10:26 PM, Alex Rousskov wrote: On 09/09/2016 11:21 AM, Christos Tsantilas wrote: On 09/09/2016 07:00 PM, Alex Rousskov wrote: On 09/09/2016 07:34 AM, Christos Tsantilas wrote: On 09/09/2016 02:21 PM, Amos Jeffries wrote: Also the IndependentRunner::registerRunner() method

Re: [squid-dev] New Defects reported by Coverity Scan for Squid after IndependentRunner

On 09/09/2016 07:00 PM, Alex Rousskov wrote: On 09/09/2016 07:34 AM, Christos Tsantilas wrote: On 09/09/2016 02:21 PM, Amos Jeffries wrote: These issues are caused by the new RegisterRunner() design using GetRidOfRunner(rr) if shutdown has already begun. That can potentially result

Re: [squid-dev] New Defects reported by Coverity Scan for Squid after IndependentRunner

On 09/09/2016 02:21 PM, Amos Jeffries wrote: These issues are caused by the new RegisterRunner() design using GetRidOfRunner(rr) if shutdown has already begun. That can potentially result in the constructor of a class inheriting from IndependentRunner deleting 'this', then the new'd object being

Re: [squid-dev] [PATCH] Squid crashes on shutdown while cleaning up idle ICAP connections Part2

Patch applied to trunk as r14825 with the requested changes. On 09/07/2016 05:56 PM, Amos Jeffries wrote: On 7/09/2016 9:44 p.m., Christos Tsantilas wrote: A preview of this patch originally discussed under the "[PATCH] Bug 4430 Squid crashes on shutdown while cleaning up idle ICAP connec

[squid-dev] [PATCH] Squid crashes on shutdown while cleaning up idle ICAP connections Part2

A preview of this patch originally discussed under the "[PATCH] Bug 4430 Squid crashes on shutdown while cleaning up idle ICAP connections" mail thread on squid-dev: http://lists.squid-cache.org/pipermail/squid-dev/2016-March/005214.html We fixed the patch so I hope it handles most of the

Re: [squid-dev] [PATCH] SSL CN wildcard must only match a single domain component [fragment]

On 09/06/2016 07:29 AM, Amos Jeffries wrote: On 25/08/2016 3:31 a.m., Christos Tsantilas wrote: When comparing the requested domain name with a certificate Common Name, Squid expanded wildcard to cover more than one domain name label (a.k.a component), violating RFC 2818 requirement[1

Re: [squid-dev] [PATCH] SSL CN wildcard must only match a single domain component [fragment]

If no any objection I will apply this patch to trunk. On 08/24/2016 06:31 PM, Christos Tsantilas wrote: When comparing the requested domain name with a certificate Common Name, Squid expanded wildcard to cover more than one domain name label (a.k.a component), violating RFC 2818 requirement[1

[squid-dev] [PATCH] SSL CN wildcard must only match a single domain component [fragment]

When comparing the requested domain name with a certificate Common Name, Squid expanded wildcard to cover more than one domain name label (a.k.a component), violating RFC 2818 requirement[1]. For example, Squid thought that wrong.host.example.com matched a *.example.com CN. [1] "the

Re: [squid-dev] [PATCH] Fetch missing certificates

wrote: On 28/07/2016 1:38 a.m., Amos Jeffries wrote: On 28/07/2016 1:26 a.m., Christos Tsantilas wrote: On 07/27/2016 04:12 PM, Amos Jeffries wrote: Ping. Can this be applied soon please? I delay applying this patch because of the "crash after r14735" issue which does not allow me to

Re: [squid-dev] Broken trunk after r14735, r14726

On 07/19/2016 09:52 AM, Amos Jeffries wrote: On 18/07/2016 11:12 p.m., Christos Tsantilas wrote: On 07/16/2016 03:56 PM, Amos Jeffries wrote: On 16/07/2016 7:02 a.m., Alex Rousskov wrote: Hello, There are two more recent changes that broke trunk: * After r14735 (Replaced TidyPointer

Re: [squid-dev] [PATCH] Fetch missing certificates

On 07/20/2016 04:42 PM, Amos Jeffries wrote: On 16/07/2016 2:08 a.m., Christos Tsantilas wrote: A new patch. It also includes the following fixes: - Sets the log_uri for ClientHttpRequest build by Downloader - Removes two XXX comments from PeerConnector class, which are not valid any

Re: [squid-dev] Broken trunk after r14735, r14726

On 07/18/2016 08:32 PM, Alex Rousskov wrote: On 07/18/2016 08:49 AM, Christos Tsantilas wrote: On 07/18/2016 02:12 PM, Christos Tsantilas wrote: On 07/16/2016 03:56 PM, Amos Jeffries wrote: On 16/07/2016 7:02 a.m., Alex Rousskov wrote: * After r14726 (GnuTLS: support for TLS session resume

Re: [squid-dev] Broken trunk after r14735, r14726

On 07/18/2016 02:12 PM, Christos Tsantilas wrote: On 07/16/2016 03:56 PM, Amos Jeffries wrote: On 16/07/2016 7:02 a.m., Alex Rousskov wrote: * After r14726 (GnuTLS: support for TLS session resume): Squid segfaults when attempting to connect to a Secure ICAP service. Official Squid v4.0.12

Re: [squid-dev] Broken trunk after r14735, r14726

On 07/16/2016 03:56 PM, Amos Jeffries wrote: On 16/07/2016 7:02 a.m., Alex Rousskov wrote: Hello, There are two more recent changes that broke trunk: * After r14735 (Replaced TidyPointer with std::unique_ptr), Squid cannot start due to an "std::bad_function_call" exception. * After

Re: [squid-dev] [PATCH] Fetch missing certificates

On 07/15/2016 12:59 AM, Alex Rousskov wrote: On 07/13/2016 10:48 AM, Christos Tsantilas wrote: On 07/11/2016 10:13 PM, Alex Rousskov wrote: On 07/11/2016 10:18 AM, Christos Tsantilas wrote: +SBuf object; +Http::StatusCode status; +}; If you can make Downloader::CbDialer

Re: [squid-dev] [PATCH] Fetch missing certificates

A new patch. It also includes the following fixes: - Sets the log_uri for ClientHttpRequest build by Downloader - Removes two XXX comments from PeerConnector class, which are not valid any more - Make the Downloader::CbDialer a CallDialer kid. Please also see my comments bellow. On

Re: [squid-dev] [PATCH] Fetch missing certificates

On 07/15/2016 11:14 AM, Amos Jeffries wrote: Or when we need some certainty about what the size of the data field actually is. Side track: For sizes of payload objects we should be centering on uint64_t to handle the large objects instead of size_t or int which can't handle them. This

Re: [squid-dev] [PATCH] Fetch missing certificates

On 07/11/2016 10:13 PM, Alex Rousskov wrote: On 07/11/2016 10:18 AM, Christos Tsantilas wrote: +/// The maximum allowed object size. +static const size_t MaxObjectSize = 1*1024*1024; +bool existingContent = reply ? reply->content_length : 0; +bool exceedS

Re: [squid-dev] [PATCH] Fetch missing certificates

On 07/11/2016 07:53 PM, Alex Rousskov wrote: On 07/11/2016 10:18 AM, Christos Tsantilas wrote: This patch includes a Downloader class which implemented as independent AsyncJob class (in the initial patch was a ConnStateData kid). Currently runs an other related discussion under the mail thread

[squid-dev] [PATCH] Fetch missing certificates

Patch description ~~~ Many web servers do not have complete certificate chains. Many browsers use certificate extensions of the server certificate and download the missing intermediate certificates automatically from the Internet. This patch add this feature to Squid. The

Re: [squid-dev] Care and feeding of ConnStateData

On 07/07/2016 10:22 PM, Alex Rousskov wrote: On 07/06/2016 10:52 PM, Amos Jeffries wrote: On 7/07/2016 10:24 a.m., Alex Rousskov wrote: Q2. Where does the pending Downloader class belong? In overview I think if we have a good Downloader design those other things and ESIInclude should

Re: [squid-dev] [PATCH] LockingPointer API update

On 06/22/2016 04:02 AM, Alex Rousskov wrote: I have attached a list of relevant trunk calls. It may be incomplete. I run over the list to check for problems. Also I checked the resetAndLock calls, looks ok. However the true is that the reset/resetAndLock scheme for lockingPointer is

Re: [squid-dev] [PATCH] LockingPointer API update

On 06/22/2016 02:29 PM, Amos Jeffries wrote: On 22/06/2016 10:42 p.m., Christos Tsantilas wrote: On 06/22/2016 07:32 AM, Amos Jeffries wrote: On 22/06/2016 1:02 p.m., Alex Rousskov wrote: On 06/21/2016 04:00 AM, Amos Jeffries wrote: ... In the patch I'm working on now its looking very much

Re: [squid-dev] [PATCH] LockingPointer API update

On 06/22/2016 07:32 AM, Amos Jeffries wrote: On 22/06/2016 1:02 p.m., Alex Rousskov wrote: On 06/21/2016 04:00 AM, Amos Jeffries wrote: The two I saw were: 1) PeekingPeerConnector::handleServerCertificate() doing serverBump->serverCert.reset(serverCert.release()) On much closer inspection

  1   2   >