[squid-dev] [PATCH make ssl-bump implicit on HTTPS interception ports

Mon, 13 Jun 2016 19:56:35 -0700 

Using an https_port with intercept or tproxy is pretty useless without
ssl-bump being enabled. So auto-enable the 'ssl-bump' option on those
ports instead of aborting with an error about ssl-bump being needed.

The result of this should be that the intercepted traffic gets received
by either the 'unknown protocol' pass-thru settings or the admins other
ssl-bump related settings enacted.

Amos

=== modified file 'doc/release-notes/release-4.sgml'
--- doc/release-notes/release-4.sgml    2016-06-09 20:31:15 +0000
+++ doc/release-notes/release-4.sgml    2016-06-13 14:45:42 +0000
@@ -272,6 +272,8 @@
        <p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
        <p>Manual squid.conf update may be required on upgrade.
        <p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes 
multiple entries.
+       <p><em>ssl-bump</em> is now implicitly enabled for <em>intercept</em> or
+          <em>tproxy</em> ports.
 
        <tag>icap_service</tag>
        <p>New scheme <em>icaps://</em> to enable TLS/SSL connections to Secure 
ICAP

=== modified file 'src/cache_cf.cc'
--- src/cache_cf.cc     2016-04-03 23:41:58 +0000
+++ src/cache_cf.cc     2016-06-13 14:24:22 +0000
@@ -3696,10 +3696,9 @@
             debugs(3, DBG_CRITICAL, "FATAL: ssl-bump on https_port requires 
tproxy/intercept which is missing.");
             self_destruct();
         }
-        if (hijacked && !s->flags.tunnelSslBumping) {
-            debugs(3, DBG_CRITICAL, "FATAL: tproxy/intercept on https_port 
requires ssl-bump which is missing.");
-            self_destruct();
-        }
+        // intercepted traffic on https_port implies 'ssl-bump'
+        if (hijacked && !s->flags.tunnelSslBumping)
+            s->flags.tunnelSslBumping = true;
 #endif
         if (s->flags.proxySurrogate) {
             debugs(3,DBG_CRITICAL, "FATAL: https_port: require-proxy-header 
option is not supported on HTTPS ports.");
@@ -3814,7 +3813,8 @@
     }
 
 #if USE_OPENSSL
-    if (s->flags.tunnelSslBumping)
+    // ssl-bump is implicit for HTTPS intercept/tproxy ports, otherwise 
explicit
+    if (s->flags.tunnelSslBumping && !s->flags.isIntercepted())
         storeAppendPrintf(e, " ssl-bump");
 #endif
 


_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev

Reply via email to