[squid-dev] [PATCH] Restrict SslBump inspections of cache_peer connections.
Amos Jeffries
squid3 at treenet.co.nz
Sun Nov 29 06:28:31 UTC 2015
On 27/11/2015 12:51 a.m., Christos Tsantilas wrote:
>
> This change is specific to FwdState code path. It does not affect
> tunneled traffic. Thus, it does not affect CONNECT tunnels unless they
> are being inspected with SslBump code.
>
> The old code always used PeekingPeerConnector when connecting to a
> TLS-related cache_peer. That approach worked because
> PeekingPeerConnector does not always inspect the SSL/TLS connection it
> establishes. We were kind of lucky that PeekingPeerConnector exceptions
> matched FwdState needs.
>
> The primary PeekingPeerConnector goal is to inspect. As its code
> evolves, it may enable inspection when FwdState does not want it.
> Non-peeking cases inside PeekingPeerConnector should all deal with
> exceptional situations that are difficult to predict a priori, before
> the connector object is created.
>
> This change restricts inspection to cases where an inspected SSL client
> connection is being forwarded, reducing the probability that a peer
> connection is wrongly inspected. This change does not fix any known bugs.
>
> This is a Measurement Factory project.
>
+1.
Amos
More information about the squid-dev
mailing list