[squid-dev] [PATCH] sslproxy_options in peek-and-splice mode

Amos Jeffries squid3 at treenet.co.nz
Tue Feb 10 23:54:57 UTC 2015


On 9/02/2015 6:43 a.m., Tsantilas Christos wrote:
> Bug description:
> 
>   - Squid sslproxy_options deny the use of TLSv1_2 SSL protocol:
>            sslproxy_options NO_TLSv1_2
>   - Squid uses peek mode for bumped connections.
>   - Web client sends an TLSv1_2 hello message and squid in peek mode,
> forwards the client hello message to server
>   - Web server respond with an TLSv1_2 hello message
>   - Squid while parsing server hello message aborts with an error
> because  sslproxy_options deny the use ot TLSv1_2 protocol.
> 
> This patch fixes squid to ignore sslproxy_options in peek or stare
> bumping mode.

As I understand it the action of applying the options to the context
removes from the context cipher references etc which are not possible.

Since peek and stare are non-final states I can easily imagine that
OpenSSL library negotiates ciphers which the options would otherwise
prohibit. Then when the options get applied to the context it find
itself using an algorithm which does not exist.

So what happens during the final state in that type of event?

Amos



More information about the squid-dev mailing list