On 17.07.2012 04:15, Tsantilas Christos wrote:
This is one more patch for bump-ssl-server-first feature.
This is handle most of Amos comments and allow use old ssl_bump
syntax:
ssl_bump allow/deny acl ...
This patch try to implement the following rules:
1. Convert allow to client-first, with a deprecation warning. One
such warning per config.
2. Convert deny to none, with a deprecation warning. One such
warning
per config.
3. If there was a conversion, make the implicit negation rule
explicit by adding either "none all" or "client-first all" as
appropriate. Emit a warning specifying which rule has been added.
This
will need to be done after the entire configuration has been parsed,
of
course. It uses the rrFinalizeConfig Runner.
4. Issue a fatal error if a mixture of old and new keywords is
found.
I am attaching two patches here. The first is the changes over the
original bump-ssl-server-first patch, which requested by Amos. And
the
second is the final patch.
Regards,
Christos
Thank you.
Are the new WARNING really that important that they always be at
CRITICAL level?
I would think the impact was a bit less (no impact in the case of deny)
s/DBG_CRITICAL/DBG_PARSE_NOTE(2)/ for the deny conversion?
s/DBG_CRITICAL/DBG_PARSE_NOTE(DBG_IMPORTANT)/ for the allow
conversion?
... using the DBG_PARSE_NOTE(x) macro which is now available in trunk,
it bumps the message up to CRITICAL when -k parse is used, but outputs
at the indicated value during normal startup/reconfigure operations.
Also, the "allow" message would seem to qualify for the "SECURITY
NOTICE:" prefix instead of just "WARNING:".
http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_Error_Messages
That polish can be done on commit.
+1 from me now, with or without the above.
Amos
