[squid-dev] [PATCH] squid SSL subsystem did not initialized correctly

Mon Aug 10 16:24:12 UTC 2015

This patch looks OK

On 08/10/2015 05:12 PM, Amos Jeffries wrote:
> On 10/08/2015 11:29 p.m., Tsantilas Christos wrote:
>> On 08/06/2015 02:55 PM, Amos Jeffries wrote:
>>> On 6/08/2015 9:54 p.m., Tsantilas Christos wrote:
>>>> Hi all,
>>>>
>>>>      Currently SSL subsystem did not initialized correctly in squid
>>>> trunk.
>>>> This is because of the Security::ProxyOutgoingConfig.encryptTransport
>>>> which is always false so the client SSL CTX object never builds. As a
>>>> result squid may not start if SSL is configured. I am attaching a small
>>>> patch I am using in my squid trees to work with SSL.
>>>
>>> This always-enabled code is not compatible with the possible admin
>>> configuration:
>>>
>>>    tls_outgoing_options disable
>>>
>>>
>>> Can you please try this instead:
>>>
>>>    Security::PeerOptions::parse(const char *token)
>>>    {
>>>        if (strncmp(token, "disable", 7) == 0) {
>>>            clear();
>>> +        return;
>>>        } else if (strncmp(token, "cert=", 5) == 0) {
>>> ...
>>>        } else {
>>>            debugs(3, DBG_CRITICAL, "ERROR: Unknown TLS option '" << ...
>>> +        return;
>>>        }
>>> +
>>> +    encryptTransport = true;
>>>    }
>>>
>>>
>>> If that works you can go through and also remove uses of
>>> "secure.encryptTransport = true" from adaptation/ServiceConfig.cc and
>>> cache_cf.cc where it is set next to a call to secure.parse()
>>> ... but not the other one where it is set to always-on for https_port.
>>
>> This is will not work, because it is not required for someone to
>> configure any of the sslproxy options for the SSL client to work.
>> Squid can always work with the default options.
>
> Did you test it?
>
> The default squid.conf parser always sets "tls_outgoing_options
> tls-min-version=1.0". Which should auto-enable DIRECT outgoing, then
> explicit disable is required to turn off again.
>
>
> http_port ... protocol=HTTPS and https_port forces
> "encryptTransport=true;" explicitly based on the expected protocol. So
> it is either enabled by the parse() call when TLS options are used, or
> forced on anyway later when the protocol is validated.
>
>
> icaps:// services also explicitly set "encryptTransport=true;"
> explicitly based on 's' in the service URI scheme.
>
> The cache_peer requires a minimum of "ssl" option to be configured. And
> calls parse(). I see that simple case is passing "" token which gets
> reported as unknown option.
>
>
> With the attached patch TLS should be:
> * default-on for all https_port, icaps:// services, and outgoing
> https:// traffic.
> * manually enabled on cache_peer and http_port.
> * manually disabled on outgoing https:// traffic.
>
>
>>
>> The Security::ProxyOutgoingConfig.encryptTransport = true must be always
>> true unless the the SSL client is disabled.
>
> Yes. And the default config should see to that happening. Which is why I
> asked if you could try the change.
>
>
>>
>> In previous squid releases it was not possible to disable SSL client,
>> but now looks that this is can be done using the
>>    "tls_outgoing_options disable"
>
> Yes, that is new in Squid-4. Along with some small non-OpenSSL HTTPS
> support (not much yet, but growing).
>
>
>>
>> Maybe we need to add a parameter to Security::PeerOptions constructor,
>> to define if the SSL is enabled by default (for example in the case of
>> ProxyOutgoingConfig) or not (for example in HTTP ports configuration).
>>
>
> That would be messy because ProxyOutgoingConfig is a global and the
> others are all explicitly constructed.
>
> Amos
>
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>