[squid-dev] [PATCH] Bump SSL client on [more] errors encountered before ssl_bump evaluation

Christos Tsantilas christos at chtsanti.net
Fri Feb 3 19:27:30 UTC 2017


... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an 
http_access deny rule match.

The old code allowed ssl_bump step1 rules to be evaluated in the 
presence of an error. An ssl_bump splicing decision would then trigger 
the useless "send the error to the client now" processing logic instead 
of going down the "to serve an error, bump the client first" path.

Furthermore, the ssl_bump evaluation result itself could be surprising 
to the admin because ssl_bump (and most other) rules are not meant to be 
evaluated for a transaction in an error state. This complicated triage.

Also polished an important comment to clarify that we want to bump on 
error if (and only if) the SslBump feature is applicable to the failed 
transaction (i.e., if the ssl_bump rules would have been evaluated if 
there were no prior errors). The old comment could have been 
misinterpreted that ssl_bump rules must be evaluated to allow an 
"ssl_bump splice" match to hide the error.

This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-272-Blocked-CONNECT-request-not-bumped-t2.patch
Type: text/x-patch
Size: 5261 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170203/b9cb7914/attachment.bin>


More information about the squid-dev mailing list