[squid-dev] Jenkins build is back to normal : 3.HEAD-coadvisor #680
See http://build.squid-cache.org/job/3.HEAD-coadvisor/680/ ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
[squid-dev] Build failed in Jenkins: trunk-matrix ยป gcc,j-fbsd-93 #160
See http://build.squid-cache.org/job/trunk-matrix/compiler=gcc,label=j-fbsd-93/160/ -- [...truncated 4360 lines...] /usr/local/lib/gcc49/include/c++/bits/stl_vector.h:803: undefined reference to `std::__throw_out_of_range_fmt(char const*, ...)' /usr/local/lib/gcc49/include/c++/bits/stl_vector.h:803: undefined reference to `std::__throw_out_of_range_fmt(char const*, ...)' /usr/local/lib/gcc49/include/c++/bits/stl_vector.h:803: undefined reference to `std::__throw_out_of_range_fmt(char const*, ...)' /usr/local/lib/gcc49/include/c++/bits/stl_vector.h:803: undefined reference to `std::__throw_out_of_range_fmt(char const*, ...)' wordlist.o: In function `_M_insertSBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' auth/.libs/libacls.a(AclMaxUserIp.o): In function `_M_insertconst SBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(IntRange.o): In function `_M_insertconst SBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(IntRange.o): In function `_M_insertconst Rangeint, long unsigned int': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(RegexData.o):/usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: more undefined references to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' follow acl/.libs/libacls.a(StringData.o): In function `std::listSBuf, std::allocatorSBuf ::_M_transfer(std::_List_iteratorSBuf, std::_List_iteratorSBuf, std::_List_iteratorSBuf)': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1673: undefined reference to `std::__detail::_List_node_base::_M_transfer(std::__detail::_List_node_base*, std::__detail::_List_node_base*)' acl/.libs/libacls.a(TimeData.o): In function `_M_insertconst SBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(Asn.o): In function `_M_insertconst SBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(DomainData.o): In function `_M_insertconst SBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(DomainData.o): In function `_M_insertSBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(HierCodeData.o): In function `_M_insertSBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(HttpHeaderData.o):/usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: more undefined references to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' follow acl/.libs/libacls.a(HttpHeaderData.o): In function `std::listSBuf, std::allocatorSBuf ::_M_transfer(std::_List_iteratorSBuf, std::_List_iteratorSBuf, std::_List_iteratorSBuf)': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1673: undefined reference to `std::__detail::_List_node_base::_M_transfer(std::__detail::_List_node_base*, std::__detail::_List_node_base*)' acl/.libs/libacls.a(HttpStatus.o): In function `_M_insertconst SBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(HttpStatus.o): In function `_M_insertSBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(Ip.o): In function `_M_insertconst SBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(Ip.o): In function `_M_insertSBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to `std::__detail::_List_node_base::_M_hook(std::__detail::_List_node_base*)' acl/.libs/libacls.a(MaxConnection.o): In function `_M_insertconst SBuf': /usr/local/lib/gcc49/include/c++/bits/stl_list.h:1689: undefined reference to
[squid-dev] [PATCH] Secure ICAP
This patch adds support for ICAP services that require SSL/TLS transport connections. To mark an ICAP service as secure, use an icaps:// service URI scheme when listing your service via an icap_service directive. Squid uses port 11344 for Secure ICAP by default, following another popular proxy convention. The old 1344 default for plain ICAP ports has not changed. This patch should applied after the server_name and splicing resumed sessions patches applied to trunk, and after re-merged with the trunk. However we can start the discussion if you agree. Technical Details == This patch: - Splits Ssl::PeerConnector class into Ssl::PeerConnector parent and two kids: Ssl::BlindPeerConnector, a basic SSL connector for cache_peers, and Ssl::PeekingPeerConnector, a peek-and-splice SSL connector for HTTP servers. - Adds a third Ssl::IcapPeerConnector kid to connect to Secure ICAP servers. - Fixes ErrorState class to avoid crashes on nil ErrorState::request member. (Ssl::IcapPeerConnector may generate an ErrorState with a nil request). - Modifies the ACL peername to use the Secure ICAP server name as value while connecting to an ICAP server. This is useful to make SSL certificate policies based on ICAP server name. However, this change is undocumented until we decide whether a dedicated ACL would be better. This is a Measurement Factory project. Secure ICAP This patch adds support for ICAP services that require SSL/TLS transport connections. The same options used for the cache_peer directive are used for the icap_service directive, with similar certificate validation logic. To mark an ICAP service as secure, use an icaps:// service URI scheme when listing your service via an icap_service directive. The industry is using a Secure ICAP term, and Squid follows that convention, but icaps seems more appropriate for a _scheme_ name. Squid uses port 11344 for Secure ICAP by default, following another popular proxy convention. The old 1344 default for plain ICAP ports has not changed. Technical Details == This patch: - Splits Ssl::PeerConnector class into Ssl::PeerConnector parent and two kids: Ssl::BlindPeerConnector, a basic SSL connector for cache_peers, and Ssl::PeekingPeerConnector, a peek-and-splice SSL connector for HTTP servers. - Adds a third Ssl::IcapPeerConnector kid to connect to Secure ICAP servers. - Fixes ErrorState class to avoid crashes on nil ErrorState::request member. (Ssl::IcapPeerConnector may generate an ErrorState with a nil request). - Modifies the ACL peername to use the Secure ICAP server name as value while connecting to an ICAP server. This is useful to make SSL certificate policies based on ICAP server name. However, this change is undocumented until we decide whether a dedicated ACL would be better. This is a Measurement Factory project. === modified file 'src/FwdState.cc' --- src/FwdState.cc 2015-03-20 15:10:07 + +++ src/FwdState.cc 2015-04-06 16:15:04 + @@ -678,42 +678,42 @@ debugs(17, 3, HERE serverConnection() : ' entry-url() ' ); comm_add_close_handler(serverConnection()-fd, fwdServerClosedWrapper, this); if (serverConnection()-getPeer()) peerConnectSucceded(serverConnection()-getPeer()); #if USE_OPENSSL if (!request-flags.pinned) { if ((serverConnection()-getPeer() serverConnection()-getPeer()-secure.encryptTransport) || (!serverConnection()-getPeer() request-url.getScheme() == AnyP::PROTO_HTTPS) || request-flags.sslPeek) { HttpRequest::Pointer requestPointer = request; AsyncCall::Pointer callback = asyncCall(17,4, FwdState::ConnectedToPeer, FwdStatePeerAnswerDialer(FwdState::connectedToPeer, this)); // Use positive timeout when less than one second is left. const time_t sslNegotiationTimeout = max(static_casttime_t(1), timeLeft()); -Ssl::PeerConnector *connector = -new Ssl::PeerConnector(requestPointer, serverConnection(), clientConn, callback, sslNegotiationTimeout); +Ssl::PeekingPeerConnector *connector = +new Ssl::PeekingPeerConnector(requestPointer, serverConnection(), clientConn, callback, sslNegotiationTimeout); AsyncJob::Start(connector); // will call our callback return; } } #endif // if not encrypting just run the post-connect actions Security::EncryptorAnswer nil; connectedToPeer(nil); } void FwdState::connectedToPeer(Security::EncryptorAnswer answer) { if (ErrorState *error = answer.error.get()) { fail(error); answer.error.clear(); // preserve error for errorSendComplete() self = NULL; return; } @@ -1234,41 +1234,41 @@ if (!conn-getPeer()
Re: [squid-dev] [PATCH] splicing resumed sessions
A new version of the patch. This is removes the ssl_bump_resuming_sessions directive, includes many fixes over the previous patch. Also include support for NPN and ALPN tls extensions, required to correctly bump SSL connections. Please read carefully the patch preamble , specially the technical note part. The resumed sessions and the NPN/ALPN extensions problem appeared in squid after our decision to not allow splicing of connections for which we do not have access on the server certificates. The resumed sessions does not include server certificates, and the NPN/ALPN extensions causes openSSL to abort before retrieve and verify server certificates. The problem affects the ssl bumping and make it unusable for many cases. Many of the problems which reported by the users for squid-3.5 should be related to this. So probably this patch should applied to squid-3.5 too. If yes I will post the patch for squid-3.5 too. Regards, Christos On 03/17/2015 07:21 PM, Tsantilas Christos wrote: This patch adds the ssl_bump_resuming_sessions directive that controls SslBump behavior when dealing with resuming SSL/TLS sessions. Without these changes, SslBump usually terminates all resuming sessions with an error because such sessions do not include server certificates, preventing Squid from successfully validating the server identity. After these changes, Squid either terminates or splices resuming sessions, depending on configuration. Splicing is the right default because Squid most likely has spliced the original connections that the client and server are trying to resume now. Most likely, the splicing decision would not change now (but the lack of the server certificate information means we cannot repeat the original ACL checks and need a special directive to tell Squid what to do). Also, without SslBump, session resumption would just work, and SslBump default should approach that ideal. In many deployment scenarios, this straightforward splice or terminate resuming sessions implementation is exactly what the admin wants. Future projects may add more complex algorithms, including maintaining an SMP-shared cache of sessions that may be resumed in the future and evaluating client/server attempts to resume a session using that cache. Example: # splice all resuming sessions [this is the default] ssl_bump_resuming_sessions allow all This patch also makes SSL client Hello message parsing more robust and adds an SSL server Hello message parser. This patch also prevents occasional segfaults when dealing with SSL cache_peer negotiation failures. The last two changes should applied to squid-3.5 even if this patch will not go into squid-3.5. Regards, Christos Added ssl_bump_resuming_sessions to control treatment of resuming sessions by SslBump. This patch adds code in squid to control SslBump behavior when dealing with resuming SSL/TLS sessions. Without these changes, SslBump usually terminates all resuming sessions with an error because such sessions do not include server certificates, preventing Squid from successfully validating the server identity. After these changes, Squid splices resuming sessions. Splicing is the right because Squid most likely has spliced the original connections that the client and server are trying to resume now. Without SslBump, session resumption would just work, and SslBump behaviour should approach that ideal. Future projects may add ACL checks for allowing resuming sessions and may add more complex algorithms, including maintaining an SMP-shared cache of sessions that may be resumed in the future and evaluating client/server attempts to resume a session using that cache. This patch also makes SSL client Hello message parsing more robust and adds an SSL server Hello message parser. Also add support for NPN (next protocol negotiation) and ALPN (Application-Layer Protocol Negotiation) tls extensions, required to correctly bump web clients support these extensions Technical details - In Peek mode, the old Squid code would forward the client Hello message to the server. If the server tries to resume the previous (spliced) SSL session with the client, then Squid SSL code gets an ssl/PeerConnector.cc ccs received early error (or similar) because the Squid SSL object expects a server certificate and does not know anything about the session being resumed. With this patch, Squid detects session resumption attempts and splices Session resumption detection There are two mechanism in SSL/TLS for resuming sessions. The traditional shared session IDs and the TLS ticket extensions: * If Squid detects a shared ID in both client and server Hello messages, then Squid decides whether the session is being resumed by comparing those client and server shared IDs. If (and only if) the IDs are the same, then Squid assumes that it is dealing with a resuming session (using session IDs). * If Squid detects a TLS ticket in the
Re: [squid-dev] [PATCH] server_name ACL
On 10/04/2015 1:06 a.m., Tsantilas Christos wrote: Hi all, I am reposting this patch. It is updated to the latest squid-trunk. In a discussion with Amos (the period the squid-dev was down): 1) The server_name should be renamed to tls_server_name or ssl::server_name 2) There is a bug in Ssl::matchX509CommonNames function. The subjectAltName if exists should be used instead of the subject name. The (2) should be fixed as a separate issue/bug, and also applied to squid-3.5. What about the (1) ? The ssl: prefix looks better because the new feature can be used for ssl v3 too, it is not depends on tls. (However I believe that we should agree and use one prefix for all of these features to not confuse users) While being usable for SSLv3 is fine, SSL as a whole is already deprecated (RFC 6101 is Historic) and a die die die / MUST NOT use SSLv3 RFC is already on the fast track for publication within the year mandating that SSLv3 be rejected on sight. I'm agreeing with ssl::server_name not because its SSL-compatible test, but because the existing ACLs for cert related details already use that prefix. We are already in the unfortunate position of having to rename at some future point, may as well at least be consistent until then. As for the audit: in src/acl/ServerName.h: * please drop the \ingroup on new code That feature of doxygen is no longer being used. in src/cf.data.pre: * s/SslBmp/SslBump/ or s/SslBmp/Ssl-Bump/ in src/ssl/PeerConnector.cc: * Ssl::PeerConnector::handleServerCertificate() - please dont add HERE macro in new code. +1, conditional on the name agreement and above cosmetic changes. Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] server_name ACL
Hi all, I am reposting this patch. It is updated to the latest squid-trunk. In a discussion with Amos (the period the squid-dev was down): 1) The server_name should be renamed to tls_server_name or ssl::server_name 2) There is a bug in Ssl::matchX509CommonNames function. The subjectAltName if exists should be used instead of the subject name. The (2) should be fixed as a separate issue/bug, and also applied to squid-3.5. What about the (1) ? The ssl: prefix looks better because the new feature can be used for ssl v3 too, it is not depends on tls. (However I believe that we should agree and use one prefix for all of these features to not confuse users) Regards, Christos On 02/24/2015 10:29 PM, Tsantilas Christos wrote: Hi all, This patch adds server_name ACL matching server name(s) obtained from various sources such as CONNECT request URI, client SNI, and SSL server certificate CN. During each SslBump step, Squid improves its understanding of a true server name, with a bias towards server-provided (and Squid-validated) information. The server-provided server names are retrieved from the server certificate CN and Subject Alternate Names. The new server_name ACL matches any of alternate names and CN. If the CN or an alternate name is a wildcard, then the new ACL matches any domain that matches the domain with the wildcard. Other than supporting many sources of server name information (including sources that may supply Squid with multiple server name variants and wildcards), the new ACL is similar to dstdomain. Also added a server_name_regex ACL. ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev Add server_name ACL matching server name(s) obtained from various sources such as CONNECT request URI, client SNI, and SSL server certificate CN. During each SslBump step, Squid improves its understanding of a true server name, with a bias towards server-provided (and Squid-validated) information. The server-provided server names are retrieved from the server certificate CN and Subject Alternate Names. The new server_name ACL matches any of alternate names and CN. If the CN or an alternate name is a wildcard, then the new ACL matches any domain that matches the domain with the wildcard. Other than supporting many sources of server name information (including sources that may supply Squid with multiple server name variants and wildcards), the new ACL is similar to dstdomain. Also added a server_name_regex ACL. This is a Measurement Factory project. === modified file 'src/AclRegs.cc' --- src/AclRegs.cc 2015-01-16 18:12:04 + +++ src/AclRegs.cc 2015-02-13 11:39:50 + @@ -57,40 +57,41 @@ #include acl/Note.h #include acl/NoteData.h #include acl/PeerName.h #include acl/Protocol.h #include acl/ProtocolData.h #include acl/Random.h #include acl/Referer.h #include acl/RegexData.h #include acl/ReplyHeaderStrategy.h #include acl/ReplyMimeType.h #include acl/RequestHeaderStrategy.h #include acl/RequestMimeType.h #include acl/SourceAsn.h #include acl/SourceDomain.h #include acl/SourceIp.h #include acl/SquidError.h #include acl/SquidErrorData.h #if USE_OPENSSL #include acl/Certificate.h #include acl/CertificateData.h +#include acl/ServerName.h #include acl/SslError.h #include acl/SslErrorData.h #endif #include acl/Strategised.h #include acl/Strategy.h #include acl/StringData.h #if USE_OPENSSL #include acl/ServerCertificate.h #endif #include acl/Tag.h #include acl/Time.h #include acl/TimeData.h #include acl/Url.h #include acl/UrlLogin.h #include acl/UrlPath.h #include acl/UrlPort.h #include acl/UserData.h #if USE_AUTH #include auth/AclMaxUserIp.h #include auth/AclProxyAuth.h @@ -160,40 +161,46 @@ ACL::Prototype ACLUrlLogin::RegistryProtoype(ACLUrlLogin::RegistryEntry_, urllogin); ACLStrategisedchar const * ACLUrlLogin::RegistryEntry_(new ACLRegexData, ACLUrlLoginStrategy::Instance(), urllogin); ACL::Prototype ACLUrlPath::LegacyRegistryProtoype(ACLUrlPath::RegistryEntry_, pattern); ACL::Prototype ACLUrlPath::RegistryProtoype(ACLUrlPath::RegistryEntry_, urlpath_regex); ACLStrategisedchar const * ACLUrlPath::RegistryEntry_(new ACLRegexData, ACLUrlPathStrategy::Instance(), urlpath_regex); ACL::Prototype ACLUrlPort::RegistryProtoype(ACLUrlPort::RegistryEntry_, port); ACLStrategisedint ACLUrlPort::RegistryEntry_(new ACLIntRange, ACLUrlPortStrategy::Instance(), port); #if USE_OPENSSL ACL::Prototype ACLSslError::RegistryProtoype(ACLSslError::RegistryEntry_, ssl_error); ACLStrategisedconst Ssl::CertErrors * ACLSslError::RegistryEntry_(new ACLSslErrorData, ACLSslErrorStrategy::Instance(), ssl_error); ACL::Prototype ACLCertificate::UserRegistryProtoype(ACLCertificate::UserRegistryEntry_, user_cert); ACLStrategisedX509 * ACLCertificate::UserRegistryEntry_(new ACLCertificateData (Ssl::GetX509UserAttribute, *), ACLCertificateStrategy::Instance(),
Re: [squid-dev] [PATCH] splicing resumed sessions
On 04/09/2015 07:13 AM, Amos Jeffries wrote: So for now this patch is okay, but we/you should already be thinking about how to auto-translate NPN from clients into ALPN to servers. Please keep in mind that it is not possible to translate something and still splice a new SSL session (the client checksum will mismatch if we alter its handshake bytes). I am not 100% sure about resumed sessions, but I would expect them to use the same level of handshake modification protection, preventing splicing of resumed SSL connections with translated handshakes. Optional translation for bumped sessions sounds like a potentially useful feature, but let's wait for somebody actually needing it. For regular (no SslBump) reverse proxy connections to SSL servers, there is no _translation_ because Squid just sends whatever extensions it (i.e., OpenSSL) supports, including NPN and/or ALPN. Cheers, Alex. ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] Fix HttpStateData::readReply to retry reads from server
Applied to trunk as r14007. On 04/09/2015 04:07 AM, Amos Jeffries wrote: On 9/04/2015 3:12 a.m., Tsantilas Christos wrote: Hi all, This patch fixes HttpStateData::readReply to retry read from server in the case of EINPROGRESS, EAGAIN or similar errors This bug mostly affects SSL bumped connections. The HttpStateData::readReply will not retry read from server in the case of an EINPROGRESS or similar comm errors and the connection will hang, until the timeout handler called. The Comm::ReadNow method, used inside HttpStateData::readReply, call ignoreErrno function to test if the comm error should be ignored and in this case return Comm::INPROGRESS value. In this case we need to set flags.do_next_read to true to force HttpStateData::maybeReadVirginBody() method retry read. This is a Measurement Factory project +1. Please apply ASAP. Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev