[squid-dev] [PATCH] invalid certificates and spliced connections

Tsantilas Christos chtsanti at users.sourceforge.net
Tue Dec 30 13:28:16 UTC 2014


An updated patch to apply to latest squid sources.
If there is not any objection I will apply the latest patch to trunk.


On 12/19/2014 08:27 PM, Tsantilas Christos wrote:
> Currently peek-and-splice mode have the following bug:
>    1) When the certificate validation procedure found that the
> certificate is invalid, splice action is selected and the certificate
> validator helpers are not used it will splice the connection (even if
> certificates found invalid).
>
>    2) When server sends a malformed or unsupported Hello response, squid
> may splice the connection if splice action is configured.
>
> This patch, cause squid to return an error page to the user for both cases.
>
> But about the (2) I need squid developers opinions:
>
>   a) Should we abort with an error when a malformed or unsupported
> server hello message received?
> In this case the user may be able to control squid behaviour using
> cert_validator helpers: squid will send empty certificates list, and
> cert validator can respond with en error.
>
>   b) Abort with an error, if the server response can not be parsed.
>
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: invalid-certificates-and-spliced-connections-t4.patch
Type: text/x-patch
Size: 3373 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20141230/09e56ca9/attachment.bin>


More information about the squid-dev mailing list