[squid-dev] [PATCH] splicing resumed sessions

Tsantilas Christos chtsanti at users.sourceforge.net
Tue Mar 17 17:21:33 UTC 2015


This patch adds the "ssl_bump_resuming_sessions" directive that controls
SslBump behavior when dealing with "resuming SSL/TLS sessions". Without 
these changes, SslBump usually terminates all resuming sessions with an 
error because such sessions do not include server certificates, 
preventing Squid from successfully validating the server identity.

After these changes, Squid either terminates or splices resuming 
sessions, depending on configuration. Splicing is the right default 
because Squid most likely has spliced the original connections that the 
client and server are trying to resume now.  Most likely, the splicing 
decision would not change now (but the lack of the server certificate 
information means we cannot repeat the original ACL checks and need a 
special directive to tell Squid what to do). Also, without SslBump, 
session resumption would just work, and SslBump default should approach 
that ideal.

In many deployment scenarios, this straightforward "splice or terminate
resuming sessions" implementation is exactly what the admin wants. 
Future projects may add more complex algorithms, including maintaining 
an SMP-shared cache of sessions that may be resumed in the future and 
evaluating client/server attempts to resume a session using that cache.


Example:
   # splice all resuming sessions [this is the default]
   ssl_bump_resuming_sessions allow all

This patch also makes SSL client Hello message parsing more robust and
adds an SSL server Hello message parser.

This patch also prevents occasional segfaults when dealing with SSL
cache_peer negotiation failures.

The last two changes should applied to squid-3.5 even if this patch will 
not go into squid-3.5.

Regards,
    Christos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-14-splicing-resumed-sessions-t6.patch
Type: text/x-patch
Size: 47098 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150317/e5a8287b/attachment-0001.bin>


More information about the squid-dev mailing list