[squid-dev] Bumping after peek and Splicing after stare
christos at chtsanti.net
Fri May 20 08:20:20 UTC 2016
On peek bumping mode we are sending the client hello message to the
SSL server. The client Hello message normally includes the supported
features by client and a shared key. This is normally makes impossible
to bump the connection after "peek" mode.
On stare mode squid sends its hello message (with its supported features
and its shared keys), and this is make impossible to splice the
connection after stare mode.
However currently we are trying to hack openSSL, if it is possible (the
same features supported by both squid and client) and fill its internal
structures with the hello message sent by client to allow:
- on stare mode splice the connection
- on peek mode bump the connection.
This was possible and worked if squid and web client was build using the
same openSSL library, or for older firefox clients (which used a limit
number of tls extensions).
However recent changes to the source code of openSSL, break this
feature. Moreover the openSSL source code is significant changed in its
trunk repository. The upcoming openSSL releases will have major difference.
Looks that it will be very difficult to maintain this hack. And this is
already make problems to squid. The stare mode may not work in some cases.
The squid code which hacks openSSL is inside adjustSSL function in bio.cc.
I am suggesting to just remove this function and the
SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK configure.ac check.
More information about the squid-dev