[squid-dev] [PATCH] initial GnuTLS support for encrypted server connections

Alex Rousskov rousskov at measurement-factory.com
Thu Feb 2 15:05:31 UTC 2017

On 02/01/2017 11:51 PM, Amos Jeffries wrote:

> Can we agree on this being a fundamental design in Squid:
>  * all connections have an associated socket ID.

That assumption would be too limiting (and, AFAICT, unnecessary). For
example, SSL connections inside SSL connections (HTTPS proxy) do not
have a socket. The same will apply to SSL connections inside HTTP/2
sessions. And eventually QUIC.

>  * all _open_ connections are stored in fd_table. Indexed by the
> connections socket ID. If not that is a bug.

Again, this is oversimplifying too much: fd_table is for sockets, not
connections. Some connections do not have sockets. All open TCP
connections should have sockets in fd_table though.

> Do you agree on that?


> Now a Question, and please answer carefully:
> Does the PeerConnector or the new() operator 'connect' the "SSL
> connection" ?

Which new() operator? To connect an SSL connection one has to call
SSL_connect() or equivalent. If PeerConnector or your new() operator
call SSL_connect() (directly or indirectly) then they are trying to
change the state of an SSL connection to "connected". Does that answer
your question?



More information about the squid-dev mailing list