On 26/07/2013 10:20 p.m., Tsantilas Christos wrote:
This patch try to detect infinite OpenSSL validation loops.
If OpenSSL is stuck in a validation loop, Squid breaks the loop and
triggers a new custom SQUID_X509_V_ERR_INFINITE_VALIDATION SSL
validation error.
That error cannot be bypassed using sslproxy_cert_error because to break
the loop Squid has to tell OpenSSL that the certificate is invalid,
which terminates the SSL connection.
The cause for this patch is the following bug in Openssl (but maybe in
future other similar problems found):
http://rt.openssl.org/Ticket/Display.html?id=3090 (login with guest/guest)
This is a Measurement Factory project
Please make the validation counter a fixed-size (uint16/32/64_t) and add
a note where SQUID_CERT_VALIDATION_ITERATION_MAX is defined about what
the absolute upper MAX limit that can be defined for the loop is.
+1. Otherwise fine as far as I can tell. Although I'm not aware enough
about OpenSSL API to fully judge.
Amos
