Re: [squid-dev] [PATCH] Initial libsecurity API
Spam detection software, running on the system master.squid-cache.org, has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: New patch attached for review. On 27/01/2015 8:26 a.m., Alex Rousskov wrote: On 01/14/2015 08:50 AM, Amos Jeffries wrote: This is the first step(s) towards a generic TLS/SSL security API for Squid. + // BUG: ssl_client.sslContext will leak on reconfigure when Config gets memset() ... + Config.ssl_client.sslContext = Security::ProxyOutgoingConfig.createContext(); Which memset(Config) call are you referring to here? void configFreeMemory(void) { free_all(); #if USE_OPENSSL SSL_CTX_free(Config.ssl_client.sslContext); #endif } And is not Config.ssl_client.sslContext destroyed in the old configFreeMemory() function quoted above? [...] Content analysis details: (8.3 points, 5.0 required) pts rule name description -- -- 1.8 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: configure.ac] 3.6 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL [121.98.158.196 listed in zen.spamhaus.org] 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available. [121.98.158.196 listed in bb.barracudacentral.org] 0.9 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=squid3%40treenet.co.nz;ip=121.98.158.196;r=master.squid-cache.org] 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ---BeginMessage--- New patch attached for review. On 27/01/2015 8:26 a.m., Alex Rousskov wrote: On 01/14/2015 08:50 AM, Amos Jeffries wrote: This is the first step(s) towards a generic TLS/SSL security API for Squid. +// BUG: ssl_client.sslContext will leak on reconfigure when Config gets memset() ... +Config.ssl_client.sslContext = Security::ProxyOutgoingConfig.createContext(); Which memset(Config) call are you referring to here? void configFreeMemory(void) { free_all(); #if USE_OPENSSL SSL_CTX_free(Config.ssl_client.sslContext); #endif } And is not Config.ssl_client.sslContext destroyed in the old configFreeMemory() function quoted above? I keep overlooking that one. :-( +// it makes more sense to create a context per outbound connection instead of this Please remove this comment. Since each context may consume gobbles of RAM, I doubt what you are suggesting always makes more sense, but discussing this is outside your project scope. Removed. +NAME: tls_outgoing_options Please do not forget the recently added SSL_OP_NO_TICKET when merging. Done. +} // namespace Security + +// parse the tls_outgoing_options directive +inline void +parse_securePeerOptions(Security::PeerOptions *opt) +{ +while(const char *token = ConfigParser::NextToken()) { +opt-parse(token); +} +} + +#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear() +#define dump_securePeerOptions(e,n,x) // not supported yet Please add an XXX to explain why is these are declared outside their namespace. For example: XXX: These declarations are outside their namespace because our generated parsing code cannot handle namespaces. These are outside the namespace because that is the coding style used by all wrappers everywhere for the old config parser. No need for dozens of XXX comments IMO. +// parse the tls_outgoing_options directive +inline void +parse_securePeerOptions(Security::PeerOptions *opt) +{ +while(const char *token = ConfigParser::NextToken()) { +opt-parse(token); +} +} I see no reasons to inline this loop. The related code is slow for other reasons and not in a critical path. Please do not inline unless really necessary. Saves making it a #define. I get parser errors about duplicate definitions if its defined in the .h and not inlined. Moved to the .cc. +#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear() +#define dump_securePeerOptions(e,n,x) // not supported yet Why are these #defined? If they can be implemented as regular functions, they should be IMO. That is how cache_cf.cc wrappers are defined for the old parser. I'm
[squid-dev] Build failed in Jenkins: trunk-x64-openbsd-54 #293
See http://build.squid-cache.org/job/trunk-x64-openbsd-54/293/ -- [...truncated 3173 lines...] /usr/local/bin/bash ../../libtool --tag=CXX--mode=compile ccache g++ -DHAVE_CONFIG_H-I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT Connection.lo -MD -MP -MF .deps/Connection.Tpo -c -o Connection.lo ../../../src/comm/Connection.cc libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT Connection.lo -MD -MP -MF .deps/Connection.Tpo -c ../../../src/comm/Connection.cc -fPIC -DPIC -o .libs/Connection.o libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT Connection.lo -MD -MP -MF .deps/Connection.Tpo -c ../../../src/comm/Connection.cc -o Connection.o /dev/null 21 mv -f .deps/Connection.Tpo .deps/Connection.Plo /usr/local/bin/bash ../../libtool --tag=CXX--mode=compile ccache g++ -DHAVE_CONFIG_H-I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT IoCallback.lo -MD -MP -MF .deps/IoCallback.Tpo -c -o IoCallback.lo ../../../src/comm/IoCallback.cc libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT IoCallback.lo -MD -MP -MF .deps/IoCallback.Tpo -c ../../../src/comm/IoCallback.cc -fPIC -DPIC -o .libs/IoCallback.o libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT IoCallback.lo -MD -MP -MF .deps/IoCallback.Tpo -c ../../../src/comm/IoCallback.cc -o IoCallback.o /dev/null 21 mv -f .deps/IoCallback.Tpo .deps/IoCallback.Plo /usr/local/bin/bash ../../libtool --tag=CXX--mode=compile ccache g++ -DHAVE_CONFIG_H-I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT ModDevPoll.lo -MD -MP -MF .deps/ModDevPoll.Tpo -c -o ModDevPoll.lo ../../../src/comm/ModDevPoll.cc libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT ModDevPoll.lo -MD -MP -MF .deps/ModDevPoll.Tpo -c ../../../src/comm/ModDevPoll.cc -fPIC -DPIC -o .libs/ModDevPoll.o libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT ModDevPoll.lo -MD -MP -MF .deps/ModDevPoll.Tpo -c ../../../src/comm/ModDevPoll.cc -o ModDevPoll.o /dev/null 21 mv -f .deps/ModDevPoll.Tpo .deps/ModDevPoll.Plo /usr/local/bin/bash ../../libtool --tag=CXX--mode=compile ccache g++ -DHAVE_CONFIG_H-I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include -I/usr/include/kerberosV -I/usr/include/kerberosV -I../../../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -march=native -MT ModEpoll.lo -MD -MP -MF .deps/ModEpoll.Tpo -c -o ModEpoll.lo ../../../src/comm/ModEpoll.cc libtool: compile: ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../include -I/usr/local/include
[squid-dev] [PATCH] sslproxy_options in peek-and-splice mode
Bug description: - Squid sslproxy_options deny the use of TLSv1_2 SSL protocol: sslproxy_options NO_TLSv1_2 - Squid uses peek mode for bumped connections. - Web client sends an TLSv1_2 hello message and squid in peek mode, forwards the client hello message to server - Web server respond with an TLSv1_2 hello message - Squid while parsing server hello message aborts with an error because sslproxy_options deny the use ot TLSv1_2 protocol. This patch fixes squid to ignore sslproxy_options in peek or stare bumping mode. This is a Measurement Factory project sslproxy_options in peek-and-splice mode Problem description: - Squid sslproxy_options deny the use of TLSv1_2 SSL protocol: sslproxy_options NO_TLSv1_2 - Squid uses peek mode for bumped connections. - Web client sends an TLSv1_2 hello message and squid in peek mode, forwards the client hello message to server - Web server respond with an TLSv1_2 hello message - Squid while parsing server hello message aborts with an error because sslproxy_options deny the use ot TLSv1_2 protocol. This patch fixes squid to ignore sslproxy_options in peek or stare bumping mode. This is a Measurement Factory project === modified file 'src/SquidConfig.h' --- src/SquidConfig.h 2015-02-02 16:20:11 + +++ src/SquidConfig.h 2015-02-06 19:09:37 + @@ -487,40 +487,41 @@ wordlist *ext_methods; struct { int high_rptm; int high_pf; size_t high_memory; } warnings; char *store_dir_select_algorithm; int sleep_after_fork; /* microseconds */ time_t minimum_expiry_time; /* seconds */ external_acl *externalAclHelperList; #if USE_OPENSSL struct { char *cert; char *key; int version; char *options; +long parsedOptions; char *cipher; char *cafile; char *capath; char *crlfile; char *flags; acl_access *cert_error; SSL_CTX *sslContext; sslproxy_cert_sign *cert_sign; sslproxy_cert_adapt *cert_adapt; } ssl_client; #endif char *accept_filter; int umask; int max_filedescriptors; int workers; CpuAffinityMap *cpuAffinityMap; #if USE_LOADABLE_MODULES wordlist *loadable_module_names; === modified file 'src/cache_cf.cc' --- src/cache_cf.cc 2015-02-02 20:02:55 + +++ src/cache_cf.cc 2015-02-06 19:09:37 + @@ -869,41 +869,44 @@ Config2.effectiveGroupID = getegid(); } if (NULL != Config.effectiveGroup) { struct group *grp = getgrnam(Config.effectiveGroup); if (NULL == grp) { fatalf(getgrnam failed to find groupid for effective group '%s', Config.effectiveGroup); return; } Config2.effectiveGroupID = grp-gr_gid; } #if USE_OPENSSL debugs(3, DBG_IMPORTANT, Initializing https proxy context); -Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile); +Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, NULL, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile); +// Pre-parse SSL client options to be applied when the client SSL objects created. +// Options must not used in the case of peek or stare bump mode. +Config.ssl_client.parsedOptions = Ssl::parse_options(::Config.ssl_client.options); for (CachePeer *p = Config.peers; p != NULL; p = p-next) { if (p-use_ssl) { debugs(3, DBG_IMPORTANT, Initializing cache_peer p-name SSL context); p-sslContext = sslCreateClientContext(p-sslcert, p-sslkey, p-sslversion, p-sslcipher, p-ssloptions, p-sslflags, p-sslcafile, p-sslcapath, p-sslcrlfile); } } for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s-next) { if (!s-flags.tunnelSslBumping) continue; debugs(3, DBG_IMPORTANT, Initializing http_port s-s SSL context); s-configureSslServerContext(); } for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s-next) { debugs(3, DBG_IMPORTANT, Initializing https_port s-s SSL context); s-configureSslServerContext(); } === modified file 'src/ssl/PeerConnector.cc' --- src/ssl/PeerConnector.cc 2015-01-13 07:25:36 + +++ src/ssl/PeerConnector.cc 2015-01-29 17:05:32 + @@ -155,40 +155,43 @@ const Ssl::Bio::sslFeatures features = clnBio-getFeatures(); if (features.sslVersion != -1) { features.applyToSSL(ssl); // Should we allow it for all protocols?
[squid-dev] [PATCH] SNI information is not set on transparent bumping mode
SNI information is not set on transparent bumping mode Forward SNI (obtained from an intercepted client connection) to servers when SslBump peeks or stares at the server certificate. SslBump was not forwarding SNI to servers when Squid obtained SNI from an intercepted client while peeking (or staring) at client Hello. This patch also fixes squid to consider hostname included in SNI information more reliable than the hostname provided in CONNECT request for certificates CN verify This is a Measurement Factory project SNI information is not set on transparent bumping mode Forward SNI (obtained from an intercepted client connection) to servers when SslBump peeks or stares at the server certificate. SslBump was not forwarding SNI to servers when Squid obtained SNI from an intercepted client while peeking (or staring) at client Hello. This is a Measurement Factory project === modified file 'src/ssl/PeerConnector.cc' --- src/ssl/PeerConnector.cc 2015-01-13 07:25:36 + +++ src/ssl/PeerConnector.cc 2015-02-08 08:35:55 + @@ -127,82 +127,91 @@ bail(anErr); return; } if (peer) { if (peer-ssldomain) SSL_set_ex_data(ssl, ssl_ex_index_server, peer-ssldomain); #if NOT_YET else if (peer-name) SSL_set_ex_data(ssl, ssl_ex_index_server, peer-name); #endif else SSL_set_ex_data(ssl, ssl_ex_index_server, peer-host); if (peer-sslSession) SSL_set_session(ssl, peer-sslSession); - -} else if (request-clientConnectionManager-sslBumpMode == Ssl::bumpPeek || request-clientConnectionManager-sslBumpMode == Ssl::bumpStare) { -// client connection is required for Peek or Stare mode in the case we need to splice +} else if (const ConnStateData *csd = request-clientConnectionManager.valid()) { +// client connection is required in the case we need to splice // or terminate client and server connections assert(clientConn != NULL); -SSL *clientSsl = fd_table[request-clientConnectionManager-clientConnection-fd].ssl; -BIO *b = SSL_get_rbio(clientSsl); -Ssl::ClientBio *clnBio = static_castSsl::ClientBio *(b-ptr); -const Ssl::Bio::sslFeatures features = clnBio-getFeatures(); -if (features.sslVersion != -1) { -features.applyToSSL(ssl); -// Should we allow it for all protocols? -if (features.sslVersion = 3) { -b = SSL_get_rbio(ssl); -Ssl::ServerBio *srvBio = static_castSsl::ServerBio *(b-ptr); -srvBio-setClientFeatures(features); -srvBio-recordInput(true); -srvBio-mode(request-clientConnectionManager-sslBumpMode); -} +const char *hostName = NULL; +Ssl::ClientBio *cltBio = NULL; + +// In server-first bumping mode, clientSsl is NULL. +if (SSL *clientSsl = fd_table[clientConn-fd].ssl) { +BIO *b = SSL_get_rbio(clientSsl); +cltBio = static_castSsl::ClientBio *(b-ptr); +const Ssl::Bio::sslFeatures features = cltBio-getFeatures(); +if (!features.serverName.isEmpty()) +hostName = features.serverName.c_str(); +} -const bool isConnectRequest = request-clientConnectionManager.valid() - !request-clientConnectionManager-port-flags.isIntercepted(); -if (isConnectRequest) -SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request-GetHost()); -else if (!features.serverName.isEmpty()) -SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)features.serverName.c_str()); +if (!hostName) { +// While we are peeking at the certificate, we may not know the server +// name that the client will request (after interception or CONNECT) +// unless it was the CONNECT request with a user-typed address. +const bool isConnectRequest = !csd-port-flags.isIntercepted(); +if (!request-flags.sslPeek || isConnectRequest) +hostName = request-GetHost(); +} + +if (hostName) +SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostName); + +if (csd-sslBumpMode == Ssl::bumpPeek || csd-sslBumpMode == Ssl::bumpStare) { +assert(cltBio); +const Ssl::Bio::sslFeatures features = cltBio-getFeatures(); +if (features.sslVersion != -1) { +features.applyToSSL(ssl); +// Should we allow it for all protocols? +if (features.sslVersion = 3) { +BIO *b = SSL_get_rbio(ssl); +Ssl::ServerBio *srvBio = static_castSsl::ServerBio *(b-ptr); +// Inherite client features, like SSL version, SNI and other +srvBio-setClientFeatures(features); +
[squid-dev] Build failed in Jenkins: trunk-x64-centos-6-clang #466
See http://build.squid-cache.org/job/trunk-x64-centos-6-clang/466/changes Changes: [Amos Jeffries] Bug 4176: Digest auth too many helper lookups -- [...truncated 3763 lines...] sed -e 's,[@]PERL[@],/usr/bin/perl,g' ../../../../helpers/basic_auth/DB/basic_db_auth.pl.in basic_db_auth || (/bin/rm -f -f basic_db_auth ; exit 1) pod2man basic_db_auth basic_db_auth.8 make[4]: Leaving directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/DB' Making all in LDAP make[4]: Entering directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/LDAP' ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT basic_ldap_auth.o -MD -MP -MF .deps/basic_ldap_auth.Tpo -c -o basic_ldap_auth.o ../../../../helpers/basic_auth/LDAP/basic_ldap_auth.cc mv -f .deps/basic_ldap_auth.Tpo .deps/basic_ldap_auth.Po /bin/sh ../../../libtool --tag=CXX --mode=link ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ldap_auth basic_ldap_auth.o ../../../lib/libmiscencoding.la ../../../compat/libcompat-squid.la -lldap -llber libtool: link: ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ldap_auth basic_ldap_auth.o ../../../lib/.libs/libmiscencoding.a ../../../compat/.libs/libcompat-squid.a -lldap -llber make[4]: Leaving directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/LDAP' Making all in NCSA make[4]: Entering directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/NCSA' ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -I../../../../helpers/basic_auth/NCSA -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT basic_ncsa_auth.o -MD -MP -MF .deps/basic_ncsa_auth.Tpo -c -o basic_ncsa_auth.o ../../../../helpers/basic_auth/NCSA/basic_ncsa_auth.cc ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -I../../../../helpers/basic_auth/NCSA -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT crypt_md5.o -MD -MP -MF .deps/crypt_md5.Tpo -c -o crypt_md5.o ../../../../helpers/basic_auth/NCSA/crypt_md5.cc mv -f .deps/basic_ncsa_auth.Tpo .deps/basic_ncsa_auth.Po mv -f .deps/crypt_md5.Tpo .deps/crypt_md5.Po /bin/sh ../../../libtool --tag=CXX --mode=link ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ncsa_auth basic_ncsa_auth.o crypt_md5.o ../../../lib/libmisccontainers.la ../../../lib/libmiscencoding.la ../../../compat/libcompat-squid.la -lnettle -lcrypt -lm -lnsl -lresolv -lcap -lrt -ldl -ldl libtool: link: ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_ncsa_auth basic_ncsa_auth.o crypt_md5.o ../../../lib/.libs/libmisccontainers.a ../../../lib/.libs/libmiscencoding.a ../../../compat/.libs/libcompat-squid.a -lnettle -lcrypt -lm -lnsl -lresolv -lcap -lrt -ldl make[4]: Leaving directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/NCSA' Making all in NIS make[4]: Entering directory `http://build.squid-cache.org/job/trunk-x64-centos-6-clang/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/NIS' ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -I../../../../helpers/basic_auth/NIS -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT basic_nis_auth.o -MD -MP -MF .deps/basic_nis_auth.Tpo -c -o basic_nis_auth.o ../../../../helpers/basic_auth/NIS/basic_nis_auth.cc ccache clang++ -DHAVE_CONFIG_H -I../../../.. -I../../../../include -I../../../../lib -I../../../../src -I../../../include -I../../../../helpers/basic_auth/NIS -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT nis_support.o -MD -MP -MF .deps/nis_support.Tpo -c -o nis_support.o ../../../../helpers/basic_auth/NIS/nis_support.cc mv -f .deps/basic_nis_auth.Tpo .deps/basic_nis_auth.Po mv -f .deps/nis_support.Tpo .deps/nis_support.Po /bin/sh ../../../libtool --tag=CXX --mode=link ccache clang++ -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -g -o basic_nis_auth basic_nis_auth.o nis_support.o