[squid-dev] [PATCH] invalid certificates and spliced connections
Tsantilas Christos
chtsanti at users.sourceforge.net
Fri Dec 19 18:27:57 UTC 2014
Currently peek-and-splice mode have the following bug:
1) When the certificate validation procedure found that the
certificate is invalid, splice action is selected and the certificate
validator helpers are not used it will splice the connection (even if
certificates found invalid).
2) When server sends a malformed or unsupported Hello response, squid
may splice the connection if splice action is configured.
This patch, cause squid to return an error page to the user for both cases.
But about the (2) I need squid developers opinions:
a) Should we abort with an error when a malformed or unsupported
server hello message received?
In this case the user may be able to control squid behaviour using
cert_validator helpers: squid will send empty certificates list, and
cert validator can respond with en error.
b) Abort with an error, if the server response can not be parsed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: invalid-certificates-and-spliced-connections-t3.patch
Type: text/x-patch
Size: 2591 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20141219/5b50a7b1/attachment.bin>
More information about the squid-dev
mailing list