[squid-dev] [PATCH] Restrict SslBump inspections of cache_peer connections.
Christos Tsantilas
christos at chtsanti.net
Thu Nov 26 11:51:35 UTC 2015
This change is specific to FwdState code path. It does not affect
tunneled traffic. Thus, it does not affect CONNECT tunnels unless they
are being inspected with SslBump code.
The old code always used PeekingPeerConnector when connecting to a
TLS-related cache_peer. That approach worked because
PeekingPeerConnector does not always inspect the SSL/TLS connection it
establishes. We were kind of lucky that PeekingPeerConnector exceptions
matched FwdState needs.
The primary PeekingPeerConnector goal is to inspect. As its code
evolves, it may enable inspection when FwdState does not want it.
Non-peeking cases inside PeekingPeerConnector should all deal with
exceptional situations that are difficult to predict a priori, before
the connector object is created.
This change restricts inspection to cases where an inspected SSL client
connection is being forwarded, reducing the probability that a peer
connection is wrongly inspected. This change does not fix any known bugs.
This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: use-BlindPeerConnector-toPeer-t3.patch
Type: text/x-patch
Size: 3532 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20151126/ecb40bd7/attachment.bin>
More information about the squid-dev
mailing list