Hi all,
The r14142 patch broke CONNECT authentication. The bug caused by a
misplaced block of code while porting the patch from squid-5 to squid-3.5.
My apologies.
I am attaching a patch which fixes the problem for squid-3.5. The other
releases does not suffer from this problem.
On 09/02/2017 06:38 μμ, Amos Jeffries wrote:
On 7/02/2017 11:12 p.m., Christos Tsantilas wrote:
On 07/02/2017 11:43 πμ, Amos Jeffries wrote:
On 7/02/2017 6:07 a.m., Christos Tsantilas wrote:
Applied to trunk as r15036.
I am attaching the patch for squid-3.5
On 04/02/2017 04:07 μμ, Amos Jeffries wrote:
On 4/02/2017 8:27 a.m., Christos Tsantilas wrote:
... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
http_access deny rule match.
The old code allowed ssl_bump step1 rules to be evaluated in the
presence of an error. An ssl_bump splicing decision would then trigger
the useless "send the error to the client now" processing logic
instead
of going down the "to serve an error, bump the client first" path.
Does this fix bug 4646?
Nope.
The bug-4646 is a little different because of a splice, which decided
before the squid-to-server-connection error.
Thanks. Applied to v4 and to 3.5 as rev.14142.
Amos
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
Fix r14142: Bump SSL client on [more] errors encountered before ssl_bump evaluation
The r14142 patch broke CONNECT authentication. The bug caused by a misplaced
block of code while porting the patch from squid-5 to squid-3.5.
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2017-02-08 05:40:33 +0000
+++ src/client_side_request.cc 2017-02-21 16:51:16 +0000
@@ -1425,55 +1425,55 @@
"), " << "ignoring ssl_bump for " << http->getConn());
if (!http->getConn()->serverBump())
http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped
http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
return false;
}
// If we have not decided yet, decide whether to bump now.
// Bumping here can only start with a CONNECT request on a bumping port
// (bumping of intercepted SSL conns is decided before we get 1st request).
// We also do not bump redirected CONNECT requests.
if (http->request->method != Http::METHOD_CONNECT || http->redirect.status ||
!Config.accessList.ssl_bump ||
!http->getConn()->port->flags.tunnelSslBumping) {
http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
debugs(85, 5, HERE << "cannot SslBump this request");
return false;
}
- if (error) {
- debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
- http->sslBumpNeed(Ssl::bumpBump);
- http->al->ssl.bumpMode = Ssl::bumpBump;
- return false;
- }
-
// Do not bump during authentication: clients would not proxy-authenticate
// if we delay a 407 response and respond with 200 OK to CONNECT.
if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
debugs(85, 5, HERE << "no SslBump during proxy authentication");
return false;
}
+ if (error) {
+ debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
+ http->sslBumpNeed(Ssl::bumpBump);
+ http->al->ssl.bumpMode = Ssl::bumpBump;
+ return false;
+ }
+
debugs(85, 5, HERE << "SslBump possible, checking ACL");
ACLFilledChecklist *aclChecklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http);
aclChecklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this);
return true;
}
/**
* A wrapper function to use the ClientRequestContext::sslBumpAccessCheckDone method
* as ACLFilledChecklist callback
*/
static void
sslBumpAccessCheckDoneWrapper(allow_t answer, void *data)
{
ClientRequestContext *calloutContext = static_cast<ClientRequestContext *>(data);
if (!calloutContext->httpStateIsValid())
return;
calloutContext->sslBumpAccessCheckDone(answer);
}
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
