[squid-dev] [PATCH] splicing resumed sessions

Amos Jeffries squid3 at treenet.co.nz
Sat Mar 21 05:23:41 UTC 2015


On 18/03/2015 6:21 a.m., Tsantilas Christos wrote:
> This patch adds the "ssl_bump_resuming_sessions" directive that controls
> SslBump behavior when dealing with "resuming SSL/TLS sessions". Without
> these changes, SslBump usually terminates all resuming sessions with an
> error because such sessions do not include server certificates,
> preventing Squid from successfully validating the server identity.
> 
> After these changes, Squid either terminates or splices resuming
> sessions, depending on configuration. Splicing is the right default
> because Squid most likely has spliced the original connections that the
> client and server are trying to resume now.  Most likely, the splicing
> decision would not change now (but the lack of the server certificate
> information means we cannot repeat the original ACL checks and need a
> special directive to tell Squid what to do). Also, without SslBump,
> session resumption would just work, and SslBump default should approach
> that ideal.
> 
> In many deployment scenarios, this straightforward "splice or terminate
> resuming sessions" implementation is exactly what the admin wants.
> Future projects may add more complex algorithms, including maintaining
> an SMP-shared cache of sessions that may be resumed in the future and
> evaluating client/server attempts to resume a session using that cache.
> 
> 
> Example:
>   # splice all resuming sessions [this is the default]
>   ssl_bump_resuming_sessions allow all
> 
> This patch also makes SSL client Hello message parsing more robust and
> adds an SSL server Hello message parser.
> 
> This patch also prevents occasional segfaults when dealing with SSL
> cache_peer negotiation failures.
> 
> The last two changes should applied to squid-3.5 even if this patch will
> not go into squid-3.5.
> 

As discussed in the other branch of this thread, please remove the
access control directive until its actually required.

I think the whole thing can go back to 3.5 if its applying cleanly.


in src/ssl/bio.cc

* has many places with unnecessary whitespace additions.
 Such as "> size )", "<  size)", and <<  sessIdLen);"



in src/ssl/bio.h
* parseV3ServerHello() documented as what is a "v3 server Hello A
message." ?
 - looks like the 'A' is misplaced, or there is a RFC reference missing
that would explain better.


+1. Otherwise, looks good to me.

Amos




More information about the squid-dev mailing list