[squid-dev] [PATCH] initial GnuTLS support for encrypted server connections
Alex Rousskov
rousskov at measurement-factory.com
Thu Feb 2 15:05:31 UTC 2017
On 02/01/2017 11:51 PM, Amos Jeffries wrote:
> Can we agree on this being a fundamental design in Squid:
>
> * all connections have an associated socket ID.
That assumption would be too limiting (and, AFAICT, unnecessary). For
example, SSL connections inside SSL connections (HTTPS proxy) do not
have a socket. The same will apply to SSL connections inside HTTP/2
sessions. And eventually QUIC.
> * all _open_ connections are stored in fd_table. Indexed by the
> connections socket ID. If not that is a bug.
Again, this is oversimplifying too much: fd_table is for sockets, not
connections. Some connections do not have sockets. All open TCP
connections should have sockets in fd_table though.
> Do you agree on that?
No.
> Now a Question, and please answer carefully:
>
> Does the PeerConnector or the new() operator 'connect' the "SSL
> connection" ?
Which new() operator? To connect an SSL connection one has to call
SSL_connect() or equivalent. If PeerConnector or your new() operator
call SSL_connect() (directly or indirectly) then they are trying to
change the state of an SSL connection to "connected". Does that answer
your question?
HTH,
Alex.
More information about the squid-dev
mailing list