On 08/06/2015 02:55 PM, Amos Jeffries wrote:
On 6/08/2015 9:54 p.m., Tsantilas Christos wrote:
Hi all,
Currently SSL subsystem did not initialized correctly in squid trunk.
This is because of the Security::ProxyOutgoingConfig.encryptTransport
which is always false so the client SSL CTX object never builds. As a
result squid may not start if SSL is configured. I am attaching a small
patch I am using in my squid trees to work with SSL.
This always-enabled code is not compatible with the possible admin
configuration:
tls_outgoing_options disable
Can you please try this instead:
Security::PeerOptions::parse(const char *token)
{
if (strncmp(token, "disable", 7) == 0) {
clear();
+ return;
} else if (strncmp(token, "cert=", 5) == 0) {
...
} else {
debugs(3, DBG_CRITICAL, "ERROR: Unknown TLS option '" << ...
+ return;
}
+
+ encryptTransport = true;
}
If that works you can go through and also remove uses of
"secure.encryptTransport = true" from adaptation/ServiceConfig.cc and
cache_cf.cc where it is set next to a call to secure.parse()
... but not the other one where it is set to always-on for https_port.
This is will not work, because it is not required for someone to
configure any of the sslproxy options for the SSL client to work.
Squid can always work with the default options.
The Security::ProxyOutgoingConfig.encryptTransport = true must be always
true unless the the SSL client is disabled.
In previous squid releases it was not possible to disable SSL client,
but now looks that this is can be done using the
"tls_outgoing_options disable"
Maybe we need to add a parameter to Security::PeerOptions constructor,
to define if the SSL is enabled by default (for example in the case of
ProxyOutgoingConfig) or not (for example in HTTP ports configuration).
If the final result still works, please commit.
Amos
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
