On 13/04/2017 01:22 πμ, Amos Jeffries wrote:
OpenSSL uses extension-data API with SSL_set_ex_data() SSL_get_ex_data()
to store extra details in one part of code and retrieve them in others.
Thus the globals.h 'registrations' for these data:
extern int ssl_ex_index_server; /* -1 */
extern int ssl_ctx_ex_index_dont_verify_domain; /* -1 */
extern int ssl_ex_index_cert_error_check; /* -1 */
extern int ssl_ex_index_ssl_error_detail; /* -1 */
extern int ssl_ex_index_ssl_peeked_cert; /* -1 */
extern int ssl_ex_index_ssl_errors; /* -1 */
extern int ssl_ex_index_ssl_cert_chain; /* -1 */
extern int ssl_ex_index_ssl_validation_counter; /* -1 */
There is also the ssl_ex_index_ssl_untrusted_chain which is not listed
in globals.cc
GnuTLS has a similar feature, BUT critical difference is that we have to
store a raw-pointer and can only attach one to a session. We cannot
register different datums like OpenSSL does.
The obvious solution is merging the above items into a single custom
class and have a static getter function to retrieve the relevant object
from a session. Creating and attaching an instance of that class if the
session has none yet.
I intend to do it one at a time. Starting with ssl_ex_index_server, and
moving on to the others only as the non-OpenSSL code needs them.
Christos; this is most likely going to be a fairly major impact on your
pending work, and need some of your time testing things work okay still.
Amos
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
