[squid-dev] [PATCH] splicing resumed sessions

Tsantilas Christos chtsanti at users.sourceforge.net
Thu Apr 9 10:53:05 UTC 2015


A new version of the patch.

This is removes the ssl_bump_resuming_sessions directive, includes many 
fixes over the previous patch.
Also include support for NPN and ALPN tls extensions, required to 
correctly bump SSL connections.
Please read carefully the patch preamble , specially the technical note 
part.

The resumed sessions and the NPN/ALPN extensions problem appeared in 
squid after our decision to not allow splicing of connections for which 
we do not have access on the server certificates. The resumed sessions 
does not include server certificates, and the NPN/ALPN extensions causes 
openSSL to abort before retrieve and verify server certificates.

The problem affects the ssl bumping and make it unusable for many cases. 
Many of the problems which reported by the users for squid-3.5 should be 
related to this.
So probably this patch should applied to squid-3.5 too. If yes I will 
post the patch for squid-3.5 too.

Regards,
    Christos



On 03/17/2015 07:21 PM, Tsantilas Christos wrote:
> This patch adds the "ssl_bump_resuming_sessions" directive that controls
> SslBump behavior when dealing with "resuming SSL/TLS sessions". Without
> these changes, SslBump usually terminates all resuming sessions with an
> error because such sessions do not include server certificates,
> preventing Squid from successfully validating the server identity.
>
> After these changes, Squid either terminates or splices resuming
> sessions, depending on configuration. Splicing is the right default
> because Squid most likely has spliced the original connections that the
> client and server are trying to resume now.  Most likely, the splicing
> decision would not change now (but the lack of the server certificate
> information means we cannot repeat the original ACL checks and need a
> special directive to tell Squid what to do). Also, without SslBump,
> session resumption would just work, and SslBump default should approach
> that ideal.
>
> In many deployment scenarios, this straightforward "splice or terminate
> resuming sessions" implementation is exactly what the admin wants.
> Future projects may add more complex algorithms, including maintaining
> an SMP-shared cache of sessions that may be resumed in the future and
> evaluating client/server attempts to resume a session using that cache.
>
>
> Example:
>    # splice all resuming sessions [this is the default]
>    ssl_bump_resuming_sessions allow all
>
> This patch also makes SSL client Hello message parsing more robust and
> adds an SSL server Hello message parser.
>
> This patch also prevents occasional segfaults when dealing with SSL
> cache_peer negotiation failures.
>
> The last two changes should applied to squid-3.5 even if this patch will
> not go into squid-3.5.
>
> Regards,
>     Christos
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-14-splicing-resumed-sessions-t11.patch
Type: text/x-patch
Size: 56965 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150409/002d04d1/attachment-0001.bin>


More information about the squid-dev mailing list