On 18/03/2015 6:21 a.m., Tsantilas Christos wrote: > This patch adds the "ssl_bump_resuming_sessions" directive that controls > SslBump behavior when dealing with "resuming SSL/TLS sessions". Without > these changes, SslBump usually terminates all resuming sessions with an > error because such sessions do not include server certificates, > preventing Squid from successfully validating the server identity. > > After these changes, Squid either terminates or splices resuming > sessions, depending on configuration. Splicing is the right default > because Squid most likely has spliced the original connections that the > client and server are trying to resume now. Most likely, the splicing > decision would not change now (but the lack of the server certificate > information means we cannot repeat the original ACL checks and need a > special directive to tell Squid what to do). Also, without SslBump, > session resumption would just work, and SslBump default should approach > that ideal. > > In many deployment scenarios, this straightforward "splice or terminate > resuming sessions" implementation is exactly what the admin wants. > Future projects may add more complex algorithms, including maintaining > an SMP-shared cache of sessions that may be resumed in the future and > evaluating client/server attempts to resume a session using that cache. > > > Example: > # splice all resuming sessions [this is the default] > ssl_bump_resuming_sessions allow all > > This patch also makes SSL client Hello message parsing more robust and > adds an SSL server Hello message parser. > > This patch also prevents occasional segfaults when dealing with SSL > cache_peer negotiation failures. > > The last two changes should applied to squid-3.5 even if this patch will > not go into squid-3.5. >
As discussed in the other branch of this thread, please remove the access control directive until its actually required. I think the whole thing can go back to 3.5 if its applying cleanly. in src/ssl/bio.cc * has many places with unnecessary whitespace additions. Such as "> size )", "< size)", and << sessIdLen);" in src/ssl/bio.h * parseV3ServerHello() documented as what is a "v3 server Hello A message." ? - looks like the 'A' is misplaced, or there is a RFC reference missing that would explain better. +1. Otherwise, looks good to me. Amos _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev