[squid-dev] [PATCH] Avoid SSL certificate db corruption with empty index.txt as a symptom.
Tsantilas Christos
chtsanti at users.sourceforge.net
Fri Jul 3 13:48:42 UTC 2015
I just show that I had forgot to attach the patch here.
On 06/23/2015 06:30 PM, Tsantilas Christos wrote:
>
> * Detect cases where the size file is corrupted or has a clearly wrong
> value. Automatically rebuild the database in such cases.
>
> * Teach ssl_crtd to keep running if it is unable to store the generated
> certificate in the database. Return the generated certificate to Squid
> and log an error message in such cases.
>
> Background:
>
> There are cases where ssl_crtd may corrupt its certificate database. The
> known cases manifest themselves with an empty db index file. When that
> happens, ssl_crtd helpers quit, SSL bumping does not work any more, and
> the certificate DB has to be deleted and re-initialized.
>
> We do not know exactly what causes corruption in deployments, but one
> known trigger that is easy to reproduce in a lab is the block size
> change in the ssl_crtd configuration. That change has the following
> side-effects:
>
> 1. When ssl_crtd removes certificates, it computes their size using a
> different block size than the one used to store the certificates. This
> is may result in negative database sizes.
>
> 2. Signed/unsigned conversion results in a huge number near LONG_MAX,
> which is then written to the "size" file.
>
> 3. The ssl_crtd helper refuses to store new certificates because the
> database size (as described by the "size" file) exceeds the configured
> limit.
>
> 4. The ssl_crtd helper exits because it cannot store a new certificates
> to the database. No helper response is sent to Squid in this case.
>
> Most likely, there are other corruption triggers -- the database
> management code is of an overall poor quality. This change resolves some
> of the underlying problems in hope to address at least some of the
> unknown triggers as well as the known one.
>
> This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Corrupt-SSL-DB-with-emtpy-index-t4.patch
Type: text/x-patch
Size: 15514 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150703/161cd407/attachment.bin>
More information about the squid-dev
mailing list