[squid-dev] [PATCH] switch session/connection for OpenSSL

Amos Jeffries squid3 at treenet.co.nz
Sat Jun 10 12:27:41 UTC 2017 

On 27/04/17 05:24, Alex Rousskov wrote:
> Needless to say, I would be happy if we can come up with better
> definitions or even better concepts. The above is a starting point.
>

I do not think it is up to us to define these things. So I have taken a 
much longer reading of all the RFCs since SSLv3.0 through to current 
TLS/1.3 and isolated what are the authoritative definitions AFAICT.

The attached patch:

* updates some of the libsecurity API documentation to reference the 
relevant RFC definitions and sections.

* moves the pieces that are doing what is defined as solely TLS 
Connection things to security/TlsConnection.* files.

* adds a Security::TlsConnection::Pointer type for use by code dealing 
with TLS Connection logic.
  - SessionPointer still exists for code performing TLS Session logic. 
see PeerConnector description for the distinction.
  - I have not gone through and renamed uses of SessionPointer beyond 
those directly involved with the above code shuffle.


Yes this is far from complete, and intentionally much smaller that the 
previous patch. I am limiting the scope here to these things which have 
RFC definitions, and making their names consistent with those 
definitions where there was a conflict.


PS: Applying the definitions to PeerConnector, it has become clear that 
it (and children) not following a MUST requirement about the underlying 
TCP transport connection being terminated in the case where Handshake 
negotiation failed due to a Record protocol violation. They are leaving 
this closure to the caller which is a layering violation - that caller 
being required to watch the Comm::Connection for close() anyway AND 
Squid being the client, indicates there is not a strong case for doing that.


Amos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: TlsConnection_mk1.patch
Type: text/x-patch
Size: 46617 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170611/ef83fc69/attachment-0001.bin>

More information about the squid-dev mailing list