As discussed in squid-users mailing list under the "Bypassing SSL Bump
for dstdomain" thread the "ssl_bump none" does not work for ipv6.
When squid decides that it is not needed bumping for a request creates
fake CONENCT request and pass it to tunnel subsystem for more processing.
The problem is that for ipv6 the ip address in URLs and in Host header
should appeared inside brackets:
http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/
Or:
https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/
Currently squid does not uses brackets in the case of ipv6 so the
request can not parsed correctly.
I am attaching a patch which solves this bug.
Regards,
Christos
=== modified file 'src/client_side.cc'
--- src/client_side.cc 2013-02-12 11:34:35 +0000
+++ src/client_side.cc 2013-03-08 12:24:39 +0000
@@ -3622,44 +3622,44 @@
static void
httpsSslBumpAccessCheckDone(allow_t answer, void *data)
{
ConnStateData *connState = (ConnStateData *) data;
// if the connection is closed or closing, just return.
if (!connState->isOpen())
return;
// Require both a match and a positive bump mode to work around exceptional
// cases where ACL code may return ACCESS_ALLOWED with zero answer.kind.
if (answer == ACCESS_ALLOWED && answer.kind != Ssl::bumpNone) {
debugs(33, 2, HERE << "sslBump needed for " << connState->clientConnection);
connState->sslBumpMode = static_cast<Ssl::BumpMode>(answer.kind);
httpsEstablish(connState, NULL, (Ssl::BumpMode)answer.kind);
} else {
debugs(33, 2, HERE << "sslBump not needed for " << connState->clientConnection);
connState->sslBumpMode = Ssl::bumpNone;
// fake a CONNECT request to force connState to tunnel
- static char ip[MAX_IPSTRLEN];
+ static char url[MAX_IPSTRLEN];
static char reqStr[MAX_IPSTRLEN + 80];
- connState->clientConnection->local.NtoA(ip, sizeof(ip));
- snprintf(reqStr, sizeof(reqStr), "CONNECT %s:%d HTTP/1.1\r\nHost: %s\r\n\r\n", ip, connState->clientConnection->local.GetPort(), ip);
+ connState->clientConnection->local.ToURL(url, MAX_IPSTRLEN);
+ snprintf(reqStr, sizeof(reqStr), "CONNECT %s HTTP/1.1\r\nHost: %s\r\n\r\n", url, url);
bool ret = connState->handleReadData(reqStr, strlen(reqStr));
if (ret)
ret = connState->clientParseRequests();
if (!ret) {
debugs(33, 2, HERE << "Failed to start fake CONNECT request for ssl bumped connection: " << connState->clientConnection);
connState->clientConnection->close();
}
}
}
/** handle a new HTTPS connection */
static void
httpsAccept(const CommAcceptCbParams ¶ms)
{
AnyP::PortCfg *s = static_cast<AnyP::PortCfg *>(params.data);
if (params.flag != COMM_OK) {
// Its possible the call was still queued when the client disconnected
debugs(33, 2, "httpsAccept: " << s->listenConn << ": accept failure: " << xstrerr(params.xerrno));
