[squid-dev] [PATCH] Ignore impossible SSL bumping actions, as intended and documented / bug 4237 fix

Amos Jeffries squid3 at treenet.co.nz
Wed Aug 12 03:31:59 UTC 2015


On 12/08/2015 5:28 a.m., Alex Rousskov wrote:
> On 08/11/2015 10:40 AM, Amos Jeffries wrote:
>> On 11/08/2015 11:24 p.m., Tsantilas Christos wrote:
>>> On 08/11/2015 07:30 AM, Amos Jeffries wrote:
>>>> What about the other documented actions:
>>>>   * "reconnect" at step 1 & 2
> 
>>> The reconnect is not yet implemented.
> 
>> Gah. So for the last year-ish it has been published in wiki
>> SslPeekAndSplice page as an available config option. But is actually
>> nothing more than an unused enum value ?
> 
> Not quite. The wiki says: "There are several actions that Squid can do

Exactly. I'm all ears about which version(s) of squid "can do" reconnect.


> while handling an SSL connection. See your Squid documentation for a
> list of actions it actually supports." Our squid.conf.documented does
> not mention "reconnect", of course.
> 
> IIRC, when the wiki page was created, none of the newer actions were
> officially supported! Listing the ones we knew about helped admins to
> prioritize (focus their requests on the most important ones while
> thinking about future improvement plans).

When the page was created peek-n-splice itself did not exist beyond an
abstract plan. It was since published in (apparently) fully working form.

> 
> And "terminate" is not an [unused] BumpMode enum value (I only checked
> trunk though).

"terminate" does not enter the picture.

I speak exclusively of "reconnect" and "none" in my earlier response.

> 
>> Great. Please fix *that*.
> 
> This is not a bug, just a not-yet-implemented [and complex!] feature.

Only because nobody filed one about it yet. We *do* get bugs filed about
wiki text describing things like this which are not usable in production
releases.
Though most of the SSL-Bump issues have been flowing through squid-users
rather than bugzilla so far.


> However, we should polish the wiki page to be more clear about each
> action status. I propose the following wiki changes:
> 
> 1. Gray-out actions that are not-yet supported by trunk.
> 
> 2. Adding "This action is not supported yet" text to "reconnect". We
> have that text for the "err" action already.
> 
> 3. Changing "your Squid documentation" to "your squid.conf.documented".
> 
> 4. Changing "that Squid can do" to "that may be useful".
> 
> 
> Any better ideas?
> 

0. Complete removal of the action entry from wiki.

It is a thing that has never been supported, and does not have a good
technical reason for omission beyond lack of need.

Squid also doesn't support emiting pictures of cats in place of server
certificates either. Should we document that? it theoretically has
better reason to be documented, since doing so would break a lot of
things badly.

IMO we can remove the things that are not supported from the
documentation unless it has been explicitly rejected and then it should
have a reason why it was rejected.

That kind of wishful thing is fine when the page documents a development
branch or wishlist entry. Now its documenting a production usable
feature. If anyone has a need of something undocumented they can (and
do) request additions.

Amos



More information about the squid-dev mailing list