[squid-dev] [PATCH] Restrict SslBump inspections of cache_peer connections.

Christos Tsantilas christos at chtsanti.net
Thu Nov 26 11:51:35 UTC 2015

This change is specific to FwdState code path. It does not affect 
tunneled traffic. Thus, it does not affect CONNECT tunnels unless they 
are being inspected with SslBump code.

The old code always used PeekingPeerConnector when connecting to a 
TLS-related cache_peer. That approach worked because 
PeekingPeerConnector does not always  inspect the SSL/TLS connection it 
establishes. We were kind of lucky that  PeekingPeerConnector exceptions 
matched FwdState needs.

The primary PeekingPeerConnector goal is to inspect. As its code 
evolves, it may enable inspection when FwdState does not want it. 
Non-peeking cases inside PeekingPeerConnector should all deal with 
exceptional situations that are difficult to predict a priori, before 
the connector object is created.

This change restricts inspection to cases where an inspected SSL client 
connection is being forwarded, reducing the probability that a peer 
connection is wrongly inspected. This change does not fix any known bugs.

This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: use-BlindPeerConnector-toPeer-t3.patch
Type: text/x-patch
Size: 3532 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20151126/ecb40bd7/attachment.bin>

More information about the squid-dev mailing list