Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

On 27/01/2017 5:54 a.m., Christos Tsantilas wrote: > The patch applied to squid-5 as r15020 with the fixes suggested by Alex. > > I am attaching the equivalent patch for squid-3.5. > Applied to 3.5 as rev.14139 Amos ___ squid-dev mailing list

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

The patch applied to squid-5 as r15020 with the fixes suggested by Alex. I am attaching the equivalent patch for squid-3.5. On 25/01/2017 11:42 μμ, Alex Rousskov wrote: On 01/25/2017 12:12 PM, Christos Tsantilas wrote: On 25/01/2017 08:24 μμ, Alex Rousskov wrote: * A client-sent ClientHello

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

On 01/25/2017 12:12 PM, Christos Tsantilas wrote: >> On 25/01/2017 08:24 μμ, Alex Rousskov wrote: >> * A client-sent ClientHello is required for peeking. The calling code >> must ensure that we never get here without it. Throw if our calling code >> is buggy. > This is the correct. Great. I have

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

On 25/01/2017 08:24 μμ, Alex Rousskov wrote: On 01/16/2017 04:38 AM, Christos Tsantilas wrote: On 13/01/2017 07:04 μμ, Alex Rousskov wrote: The dependency here is that clientHelloMessage comes from our parser. We can substitute OpenSSL-generated ClientHello with client-sent ClientHello

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

On 01/16/2017 04:38 AM, Christos Tsantilas wrote: > On 13/01/2017 07:04 μμ, Alex Rousskov wrote: >> The dependency here is that clientHelloMessage comes from our parser. We >> can substitute OpenSSL-generated ClientHello with client-sent >> ClientHello because/if we successfully parsed and stored

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

I am attaching a new patch based on Alex comments. I also changed the patch preamble a little to much better what squid does. Please see my comments bellow. On 13/01/2017 07:04 μμ, Alex Rousskov wrote: On 01/12/2017 02:28 PM, Christos Tsantilas wrote: On 12/01/2017 06:48 μμ, Alex Rousskov

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

On 01/12/2017 02:28 PM, Christos Tsantilas wrote: > On 12/01/2017 06:48 μμ, Alex Rousskov wrote: >> On 01/12/2017 08:35 AM, Christos Tsantilas wrote: >>> The patch fixes Squid to peeks (or stares) at the origin server as >>> configured, even if it does not recognize the client TLS record/message.

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

On 12/01/2017 06:48 μμ, Alex Rousskov wrote: On 01/12/2017 08:35 AM, Christos Tsantilas wrote: The patch fixes Squid to peeks (or stares) at the origin server as configured, even if it does not recognize the client TLS record/message. s/to peeks (or stares)/to peek (or stare)/ I agree that

Re: [squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

On 01/12/2017 08:35 AM, Christos Tsantilas wrote: > The patch fixes Squid to peeks (or stares) at the origin server as > configured, even if it does not recognize the client TLS > record/message. s/to peeks (or stares)/to peek (or stare)/ I agree that this is the right thing to do, but I have

[squid-dev] [PATCH] SSLv2 records force SslBump bumping despite a matching step2 peek rule.

If Squid receives a valid TLS Hello encapsulated into ancient SSLv2 records (observed on Solaris 10) the old code ignored the step2 peek decision and bumped the transaction instead. The patch fixes Squid to peeks (or stares) at the origin server as configured, even if it does not recognize