Re: [squid-dev] [PATCH] Initial libsecurity API
Spam detection software, running on the system master.squid-cache.org,
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: New patch attached for review. On 27/01/2015 8:26 a.m., Alex
Rousskov wrote: On 01/14/2015 08:50 AM, Amos Jeffries wrote: This is
the first step(s) towards a generic TLS/SSL security API for Squid.
+ // BUG: ssl_client.sslContext will leak on reconfigure when Config
gets memset() ... + Config.ssl_client.sslContext =
Security::ProxyOutgoingConfig.createContext();
Which memset(Config) call are you referring to here? void
configFreeMemory(void)
{ free_all(); #if USE_OPENSSL
SSL_CTX_free(Config.ssl_client.sslContext);
#endif } And is not Config.ssl_client.sslContext destroyed in the
old configFreeMemory() function quoted above? [...]
Content analysis details: (8.3 points, 5.0 required)
pts rule name description
-- --
1.8 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: configure.ac]
3.6 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[121.98.158.196 listed in zen.spamhaus.org]
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[121.98.158.196 listed in bb.barracudacentral.org]
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?s=mfrom;id=squid3%40treenet.co.nz;ip=121.98.158.196;r=master.squid-cache.org]
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
---BeginMessage---
New patch attached for review.
On 27/01/2015 8:26 a.m., Alex Rousskov wrote:
On 01/14/2015 08:50 AM, Amos Jeffries wrote:
This is the first step(s) towards a generic TLS/SSL security API for
Squid.
+// BUG: ssl_client.sslContext will leak on reconfigure when Config gets
memset()
...
+Config.ssl_client.sslContext =
Security::ProxyOutgoingConfig.createContext();
Which memset(Config) call are you referring to here?
void
configFreeMemory(void)
{
free_all();
#if USE_OPENSSL
SSL_CTX_free(Config.ssl_client.sslContext);
#endif
}
And is not Config.ssl_client.sslContext destroyed in the old
configFreeMemory() function quoted above?
I keep overlooking that one. :-(
+// it makes more sense to create a context per outbound connection
instead of this
Please remove this comment. Since each context may consume gobbles of
RAM, I doubt what you are suggesting always makes more sense, but
discussing this is outside your project scope.
Removed.
+NAME: tls_outgoing_options
Please do not forget the recently added SSL_OP_NO_TICKET when merging.
Done.
+} // namespace Security
+
+// parse the tls_outgoing_options directive
+inline void
+parse_securePeerOptions(Security::PeerOptions *opt)
+{
+while(const char *token = ConfigParser::NextToken()) {
+opt-parse(token);
+}
+}
+
+#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
+#define dump_securePeerOptions(e,n,x) // not supported yet
Please add an XXX to explain why is these are declared outside their
namespace. For example:
XXX: These declarations are outside their namespace because our
generated parsing code cannot handle namespaces.
These are outside the namespace because that is the coding style used by
all wrappers everywhere for the old config parser. No need for dozens of
XXX comments IMO.
+// parse the tls_outgoing_options directive
+inline void
+parse_securePeerOptions(Security::PeerOptions *opt)
+{
+while(const char *token = ConfigParser::NextToken()) {
+opt-parse(token);
+}
+}
I see no reasons to inline this loop. The related code is slow for other
reasons and not in a critical path. Please do not inline unless really
necessary.
Saves making it a #define. I get parser errors about duplicate
definitions if its defined in the .h and not inlined.
Moved to the .cc.
+#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
+#define dump_securePeerOptions(e,n,x) // not supported yet
Why are these #defined? If they can be implemented as regular functions,
they should be IMO.
That is how cache_cf.cc wrappers are defined for the old parser. I'm
[squid-dev] Build failed in Jenkins: trunk-x64-openbsd-54 #293
See http://build.squid-cache.org/job/trunk-x64-openbsd-54/293/ -- [...truncated 3173 lines...] /usr/local/bin/bash ../../libtool --tag=CXX--mode=compile ccache g++ -DHAVE_CONFIG_H-I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT Connection.lo -MD -MP -MF .deps/Connection.Tpo -c -o Connection.lo ../../../src/comm/Connection.cc libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT Connection.lo -MD -MP -MF .deps/Connection.Tpo -c ../../../src/comm/Connection.cc -fPIC -DPIC -o .libs/Connection.o libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT Connection.lo -MD -MP -MF .deps/Connection.Tpo -c ../../../src/comm/Connection.cc -o Connection.o /dev/null 21 mv -f .deps/Connection.Tpo .deps/Connection.Plo /usr/local/bin/bash ../../libtool --tag=CXX--mode=compile ccache g++ -DHAVE_CONFIG_H-I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT IoCallback.lo -MD -MP -MF .deps/IoCallback.Tpo -c -o IoCallback.lo ../../../src/comm/IoCallback.cc libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT IoCallback.lo -MD -MP -MF .deps/IoCallback.Tpo -c ../../../src/comm/IoCallback.cc -fPIC -DPIC -o .libs/IoCallback.o libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT IoCallback.lo -MD -MP -MF .deps/IoCallback.Tpo -c ../../../src/comm/IoCallback.cc -o IoCallback.o /dev/null 21 mv -f .deps/IoCallback.Tpo .deps/IoCallback.Plo /usr/local/bin/bash ../../libtool --tag=CXX--mode=compile ccache g++ -DHAVE_CONFIG_H-I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT ModDevPoll.lo -MD -MP -MF .deps/ModDevPoll.Tpo -c -o ModDevPoll.lo ../../../src/comm/ModDevPoll.cc libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT ModDevPoll.lo -MD -MP -MF .deps/ModDevPoll.Tpo -c ../../../src/comm/ModDevPoll.cc -fPIC -DPIC -o .libs/ModDevPoll.o libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT ModDevPoll.lo -MD -MP -MF .deps/ModDevPoll.Tpo -c ../../../src/comm/ModDevPoll.cc -o ModDevPoll.o /dev/null 21 mv -f .deps/ModDevPoll.Tpo .deps/ModDevPoll.Plo /usr/local/bin/bash ../../libtool --tag=CXX--mode=compile ccache g++ -DHAVE_CONFIG_H-I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT ModEpoll.lo -MD -MP -MF .deps/ModEpoll.Tpo -c -o ModEpoll.lo ../../../src/comm/ModEpoll.cc libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include
[squid-dev] [PATCH] sslproxy_options in peek-and-splice mode
Bug description:
- Squid sslproxy_options deny the use of TLSv1_2 SSL protocol:
sslproxy_options NO_TLSv1_2
- Squid uses peek mode for bumped connections.
- Web client sends an TLSv1_2 hello message and squid in peek mode,
forwards the client hello message to server
- Web server respond with an TLSv1_2 hello message
- Squid while parsing server hello message aborts with an error
because sslproxy_options deny the use ot TLSv1_2 protocol.
This patch fixes squid to ignore sslproxy_options in peek or stare
bumping mode.
This is a Measurement Factory project
sslproxy_options in peek-and-splice mode
Problem description:
- Squid sslproxy_options deny the use of TLSv1_2 SSL protocol:
sslproxy_options NO_TLSv1_2
- Squid uses peek mode for bumped connections.
- Web client sends an TLSv1_2 hello message and squid in peek mode, forwards
the client hello message to server
- Web server respond with an TLSv1_2 hello message
- Squid while parsing server hello message aborts with an error because
sslproxy_options deny the use ot TLSv1_2 protocol.
This patch fixes squid to ignore sslproxy_options in peek or stare bumping mode.
This is a Measurement Factory project
=== modified file 'src/SquidConfig.h'
--- src/SquidConfig.h 2015-02-02 16:20:11 +
+++ src/SquidConfig.h 2015-02-06 19:09:37 +
@@ -487,40 +487,41 @@
wordlist *ext_methods;
struct {
int high_rptm;
int high_pf;
size_t high_memory;
} warnings;
char *store_dir_select_algorithm;
int sleep_after_fork; /* microseconds */
time_t minimum_expiry_time; /* seconds */
external_acl *externalAclHelperList;
#if USE_OPENSSL
struct {
char *cert;
char *key;
int version;
char *options;
+long parsedOptions;
char *cipher;
char *cafile;
char *capath;
char *crlfile;
char *flags;
acl_access *cert_error;
SSL_CTX *sslContext;
sslproxy_cert_sign *cert_sign;
sslproxy_cert_adapt *cert_adapt;
} ssl_client;
#endif
char *accept_filter;
int umask;
int max_filedescriptors;
int workers;
CpuAffinityMap *cpuAffinityMap;
#if USE_LOADABLE_MODULES
wordlist *loadable_module_names;
=== modified file 'src/cache_cf.cc'
--- src/cache_cf.cc 2015-02-02 20:02:55 +
+++ src/cache_cf.cc 2015-02-06 19:09:37 +
@@ -869,41 +869,44 @@
Config2.effectiveGroupID = getegid();
}
if (NULL != Config.effectiveGroup) {
struct group *grp = getgrnam(Config.effectiveGroup);
if (NULL == grp) {
fatalf(getgrnam failed to find groupid for effective group '%s',
Config.effectiveGroup);
return;
}
Config2.effectiveGroupID = grp-gr_gid;
}
#if USE_OPENSSL
debugs(3, DBG_IMPORTANT, Initializing https proxy context);
-Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile);
+Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, NULL, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile);
+// Pre-parse SSL client options to be applied when the client SSL objects created.
+// Options must not used in the case of peek or stare bump mode.
+Config.ssl_client.parsedOptions = Ssl::parse_options(::Config.ssl_client.options);
for (CachePeer *p = Config.peers; p != NULL; p = p-next) {
if (p-use_ssl) {
debugs(3, DBG_IMPORTANT, Initializing cache_peer p-name SSL context);
p-sslContext = sslCreateClientContext(p-sslcert, p-sslkey, p-sslversion, p-sslcipher, p-ssloptions, p-sslflags, p-sslcafile, p-sslcapath, p-sslcrlfile);
}
}
for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s-next) {
if (!s-flags.tunnelSslBumping)
continue;
debugs(3, DBG_IMPORTANT, Initializing http_port s-s SSL context);
s-configureSslServerContext();
}
for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s-next) {
debugs(3, DBG_IMPORTANT, Initializing https_port s-s SSL context);
s-configureSslServerContext();
}
=== modified file 'src/ssl/PeerConnector.cc'
--- src/ssl/PeerConnector.cc 2015-01-13 07:25:36 +
+++ src/ssl/PeerConnector.cc 2015-01-29 17:05:32 +
@@ -155,40 +155,43 @@
const Ssl::Bio::sslFeatures features = clnBio-getFeatures();
if (features.sslVersion != -1) {
features.applyToSSL(ssl);
// Should we allow it for all protocols?
[squid-dev] [PATCH] SNI information is not set on transparent bumping mode
SNI information is not set on transparent bumping mode
Forward SNI (obtained from an intercepted client connection) to servers
when SslBump peeks or stares at the server certificate.
SslBump was not forwarding SNI to servers when Squid obtained SNI from
an intercepted client while peeking (or staring) at client Hello.
This patch also fixes squid to consider hostname included in SNI
information more reliable than the hostname provided in CONNECT request
for certificates CN verify
This is a Measurement Factory project
SNI information is not set on transparent bumping mode
Forward SNI (obtained from an intercepted client connection) to servers
when SslBump peeks or stares at the server certificate.
SslBump was not forwarding SNI to servers when Squid obtained SNI from an
intercepted client while peeking (or staring) at client Hello.
This is a Measurement Factory project
=== modified file 'src/ssl/PeerConnector.cc'
--- src/ssl/PeerConnector.cc 2015-01-13 07:25:36 +
+++ src/ssl/PeerConnector.cc 2015-02-08 08:35:55 +
@@ -127,82 +127,91 @@
bail(anErr);
return;
}
if (peer) {
if (peer-ssldomain)
SSL_set_ex_data(ssl, ssl_ex_index_server, peer-ssldomain);
#if NOT_YET
else if (peer-name)
SSL_set_ex_data(ssl, ssl_ex_index_server, peer-name);
#endif
else
SSL_set_ex_data(ssl, ssl_ex_index_server, peer-host);
if (peer-sslSession)
SSL_set_session(ssl, peer-sslSession);
-
-} else if (request-clientConnectionManager-sslBumpMode == Ssl::bumpPeek || request-clientConnectionManager-sslBumpMode == Ssl::bumpStare) {
-// client connection is required for Peek or Stare mode in the case we need to splice
+} else if (const ConnStateData *csd = request-clientConnectionManager.valid()) {
+// client connection is required in the case we need to splice
// or terminate client and server connections
assert(clientConn != NULL);
-SSL *clientSsl = fd_table[request-clientConnectionManager-clientConnection-fd].ssl;
-BIO *b = SSL_get_rbio(clientSsl);
-Ssl::ClientBio *clnBio = static_castSsl::ClientBio *(b-ptr);
-const Ssl::Bio::sslFeatures features = clnBio-getFeatures();
-if (features.sslVersion != -1) {
-features.applyToSSL(ssl);
-// Should we allow it for all protocols?
-if (features.sslVersion = 3) {
-b = SSL_get_rbio(ssl);
-Ssl::ServerBio *srvBio = static_castSsl::ServerBio *(b-ptr);
-srvBio-setClientFeatures(features);
-srvBio-recordInput(true);
-srvBio-mode(request-clientConnectionManager-sslBumpMode);
-}
+const char *hostName = NULL;
+Ssl::ClientBio *cltBio = NULL;
+
+// In server-first bumping mode, clientSsl is NULL.
+if (SSL *clientSsl = fd_table[clientConn-fd].ssl) {
+BIO *b = SSL_get_rbio(clientSsl);
+cltBio = static_castSsl::ClientBio *(b-ptr);
+const Ssl::Bio::sslFeatures features = cltBio-getFeatures();
+if (!features.serverName.isEmpty())
+hostName = features.serverName.c_str();
+}
-const bool isConnectRequest = request-clientConnectionManager.valid()
- !request-clientConnectionManager-port-flags.isIntercepted();
-if (isConnectRequest)
-SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request-GetHost());
-else if (!features.serverName.isEmpty())
-SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)features.serverName.c_str());
+if (!hostName) {
+// While we are peeking at the certificate, we may not know the server
+// name that the client will request (after interception or CONNECT)
+// unless it was the CONNECT request with a user-typed address.
+const bool isConnectRequest = !csd-port-flags.isIntercepted();
+if (!request-flags.sslPeek || isConnectRequest)
+hostName = request-GetHost();
+}
+
+if (hostName)
+SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostName);
+
+if (csd-sslBumpMode == Ssl::bumpPeek || csd-sslBumpMode == Ssl::bumpStare) {
+assert(cltBio);
+const Ssl::Bio::sslFeatures features = cltBio-getFeatures();
+if (features.sslVersion != -1) {
+features.applyToSSL(ssl);
+// Should we allow it for all protocols?
+if (features.sslVersion = 3) {
+BIO *b = SSL_get_rbio(ssl);
+Ssl::ServerBio *srvBio = static_castSsl::ServerBio *(b-ptr);
+// Inherite client features, like SSL version, SNI and other
+srvBio-setClientFeatures(features);
+
[squid-dev] Build failed in Jenkins: trunk-x64-centos-6-clang #466
See http://build.squid-cache.org/job/trunk-x64-centos-6-clang/466/changes Changes: [Amos Jeffries] Bug 4176: Digest auth too many helper lookups -- [...truncated 3763 lines...] sed -e 's,[@]PERL[@],/usr/bin/perl,g' ../../../../helpers/basic_auth/DB/basic_db_auth.pl.in basic_db_auth || (/bin/rm -f -f basic_db_auth ; exit 1) pod2man basic_db_auth basic_db_auth.8 make[4]: Leaving directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/DB' Making all in LDAP make[4]: Entering directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/LDAP' ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT basic_ldap_auth.o -MD -MP -MF .deps/basic_ldap_auth.Tpo -c -o basic_ldap_auth.o ../../../../helpers/basic_auth/LDAP/basic_ldap_auth.cc mv -f .deps/basic_ldap_auth.Tpo .deps/basic_ldap_auth.Po /bin/sh ../../../libtool --tag=CXX --mode=link ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ldap_auth basic_ldap_auth.o ../../../lib/libmiscencoding.la ../../../compat/libcompat-squid.la -lldap -llber libtool: link: ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ldap_auth basic_ldap_auth.o ../../../lib/.libs/libmiscencoding.a ../../../compat/.libs/libcompat-squid.a -lldap -llber make[4]: Leaving directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/LDAP' Making all in NCSA make[4]: Entering directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/NCSA' ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -I../../../../helpers/basic_auth/NCSA -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT basic_ncsa_auth.o -MD -MP -MF .deps/basic_ncsa_auth.Tpo -c -o basic_ncsa_auth.o ../../../../helpers/basic_auth/NCSA/basic_ncsa_auth.cc ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -I../../../../helpers/basic_auth/NCSA -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT crypt_md5.o -MD -MP -MF .deps/crypt_md5.Tpo -c -o crypt_md5.o ../../../../helpers/basic_auth/NCSA/crypt_md5.cc mv -f .deps/basic_ncsa_auth.Tpo .deps/basic_ncsa_auth.Po mv -f .deps/crypt_md5.Tpo .deps/crypt_md5.Po /bin/sh ../../../libtool --tag=CXX --mode=link ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ncsa_auth basic_ncsa_auth.o crypt_md5.o ../../../lib/libmisccontainers.la ../../../lib/libmiscencoding.la ../../../compat/libcompat-squid.la -lnettle -lcrypt -lm -lnsl -lresolv -lcap -lrt -ldl -ldl libtool: link: ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ncsa_auth basic_ncsa_auth.o crypt_md5.o ../../../lib/.libs/libmisccontainers.a ../../../lib/.libs/libmiscencoding.a ../../../compat/.libs/libcompat-squid.a -lnettle -lcrypt -lm -lnsl -lresolv -lcap -lrt -ldl make[4]: Leaving directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/NCSA' Making all in NIS make[4]: Entering directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/NIS' ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -I../../../../helpers/basic_auth/NIS -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT basic_nis_auth.o -MD -MP -MF .deps/basic_nis_auth.Tpo -c -o basic_nis_auth.o ../../../../helpers/basic_auth/NIS/basic_nis_auth.cc ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -I../../../../helpers/basic_auth/NIS -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT nis_support.o -MD -MP -MF .deps/nis_support.Tpo -c -o nis_support.o ../../../../helpers/basic_auth/NIS/nis_support.cc mv -f .deps/basic_nis_auth.Tpo .deps/basic_nis_auth.Po mv -f .deps/nis_support.Tpo .deps/nis_support.Po /bin/sh ../../../libtool --tag=CXX --mode=link ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_nis_auth basic_nis_auth.o nis_support.o
