[squid-dev] TLS session extended data
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 12 22:22:20 UTC 2017
OpenSSL uses extension-data API with SSL_set_ex_data() SSL_get_ex_data()
to store extra details in one part of code and retrieve them in others.
Thus the globals.h 'registrations' for these data:
extern int ssl_ex_index_server; /* -1 */
extern int ssl_ctx_ex_index_dont_verify_domain; /* -1 */
extern int ssl_ex_index_cert_error_check; /* -1 */
extern int ssl_ex_index_ssl_error_detail; /* -1 */
extern int ssl_ex_index_ssl_peeked_cert; /* -1 */
extern int ssl_ex_index_ssl_errors; /* -1 */
extern int ssl_ex_index_ssl_cert_chain; /* -1 */
extern int ssl_ex_index_ssl_validation_counter; /* -1 */
GnuTLS has a similar feature, BUT critical difference is that we have to
store a raw-pointer and can only attach one to a session. We cannot
register different datums like OpenSSL does.
The obvious solution is merging the above items into a single custom
class and have a static getter function to retrieve the relevant object
from a session. Creating and attaching an instance of that class if the
session has none yet.
I intend to do it one at a time. Starting with ssl_ex_index_server, and
moving on to the others only as the non-OpenSSL code needs them.
Christos; this is most likely going to be a fairly major impact on your
pending work, and need some of your time testing things work okay still.
Amos
More information about the squid-dev
mailing list