[squid-dev] TLS session extended data
Christos Tsantilas
christos at chtsanti.net
Fri Apr 14 11:40:26 UTC 2017
On 13/04/2017 01:22 πμ, Amos Jeffries wrote:
> OpenSSL uses extension-data API with SSL_set_ex_data() SSL_get_ex_data()
> to store extra details in one part of code and retrieve them in others.
>
> Thus the globals.h 'registrations' for these data:
> extern int ssl_ex_index_server; /* -1 */
> extern int ssl_ctx_ex_index_dont_verify_domain; /* -1 */
> extern int ssl_ex_index_cert_error_check; /* -1 */
> extern int ssl_ex_index_ssl_error_detail; /* -1 */
> extern int ssl_ex_index_ssl_peeked_cert; /* -1 */
> extern int ssl_ex_index_ssl_errors; /* -1 */
> extern int ssl_ex_index_ssl_cert_chain; /* -1 */
> extern int ssl_ex_index_ssl_validation_counter; /* -1 */
There is also the ssl_ex_index_ssl_untrusted_chain which is not listed
in globals.cc
>
> GnuTLS has a similar feature, BUT critical difference is that we have to
> store a raw-pointer and can only attach one to a session. We cannot
> register different datums like OpenSSL does.
>
>
> The obvious solution is merging the above items into a single custom
> class and have a static getter function to retrieve the relevant object
> from a session. Creating and attaching an instance of that class if the
> session has none yet.
>
> I intend to do it one at a time. Starting with ssl_ex_index_server, and
> moving on to the others only as the non-OpenSSL code needs them.
>
>
> Christos; this is most likely going to be a fairly major impact on your
> pending work, and need some of your time testing things work okay still.
>
>
> Amos
>
More information about the squid-dev
mailing list