[squid-dev] [PATCH] squid SSL subsystem did not initialized correctly
Tsantilas Christos
chtsanti at users.sourceforge.net
Mon Aug 10 11:29:40 UTC 2015
On 08/06/2015 02:55 PM, Amos Jeffries wrote:
> On 6/08/2015 9:54 p.m., Tsantilas Christos wrote:
>> Hi all,
>>
>> Currently SSL subsystem did not initialized correctly in squid trunk.
>> This is because of the Security::ProxyOutgoingConfig.encryptTransport
>> which is always false so the client SSL CTX object never builds. As a
>> result squid may not start if SSL is configured. I am attaching a small
>> patch I am using in my squid trees to work with SSL.
>
> This always-enabled code is not compatible with the possible admin
> configuration:
>
> tls_outgoing_options disable
>
>
> Can you please try this instead:
>
> Security::PeerOptions::parse(const char *token)
> {
> if (strncmp(token, "disable", 7) == 0) {
> clear();
> + return;
> } else if (strncmp(token, "cert=", 5) == 0) {
> ...
> } else {
> debugs(3, DBG_CRITICAL, "ERROR: Unknown TLS option '" << ...
> + return;
> }
> +
> + encryptTransport = true;
> }
>
>
> If that works you can go through and also remove uses of
> "secure.encryptTransport = true" from adaptation/ServiceConfig.cc and
> cache_cf.cc where it is set next to a call to secure.parse()
> ... but not the other one where it is set to always-on for https_port.
This is will not work, because it is not required for someone to
configure any of the sslproxy options for the SSL client to work.
Squid can always work with the default options.
The Security::ProxyOutgoingConfig.encryptTransport = true must be always
true unless the the SSL client is disabled.
In previous squid releases it was not possible to disable SSL client,
but now looks that this is can be done using the
"tls_outgoing_options disable"
Maybe we need to add a parameter to Security::PeerOptions constructor,
to define if the SSL is enabled by default (for example in the case of
ProxyOutgoingConfig) or not (for example in HTTP ports configuration).
>
> If the final result still works, please commit.
>
> Amos
>
More information about the squid-dev
mailing list