[squid-dev] [PATCH] remove HttpsPortList

Amos Jeffries squid3 at treenet.co.nz
Sun Oct 11 05:17:25 UTC 2015


Combine the https_port list internal state with http_port state.
These two lists have been near identical for some time now and we can
easily reduce code by simply merging the two and using either the
secure.encryptTransport flag or the transport.protocol type to select
the remaining non-identical code paths.

There are only minor documentation changes resulting from this change.

Amos

-------------- next part --------------
=== modified file 'src/anyp/PortCfg.cc'
--- src/anyp/PortCfg.cc	2015-09-24 21:08:23 +0000
+++ src/anyp/PortCfg.cc	2015-10-10 06:35:15 +0000
@@ -2,43 +2,40 @@
  * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
  *
  * Squid software is distributed under GPLv2+ license and includes
  * contributions from numerous individuals and organizations.
  * Please see the COPYING and CONTRIBUTORS files for details.
  */
 
 #include "squid.h"
 #include "anyp/PortCfg.h"
 #include "comm.h"
 #include "fatal.h"
 #include "security/PeerOptions.h"
 #if USE_OPENSSL
 #include "ssl/support.h"
 #endif
 
 #include <cstring>
 #include <limits>
 
 AnyP::PortCfgPointer HttpPortList;
-#if USE_OPENSSL
-AnyP::PortCfgPointer HttpsPortList;
-#endif
 AnyP::PortCfgPointer FtpPortList;
 
 int NHttpSockets = 0;
 int HttpSockets[MAXTCPLISTENPORTS];
 
 AnyP::PortCfg::PortCfg() :
     next(),
     s(),
     transport(AnyP::PROTO_HTTP,1,1), // "Squid is an HTTP proxy", etc.
     name(NULL),
     defaultsite(NULL),
     flags(),
     allow_direct(false),
     vhost(false),
     actAsOrigin(false),
     ignore_cc(false),
     connection_auth_disabled(false),
     ftp_track_dirs(false),
     vport(0),
     disable_pmtu_discovery(0),

=== modified file 'src/anyp/PortCfg.h'
--- src/anyp/PortCfg.h	2015-09-24 21:08:23 +0000
+++ src/anyp/PortCfg.h	2015-10-10 06:37:36 +0000
@@ -78,42 +78,37 @@
     char *tls_dh;
     char *sslContextSessionId; ///< "session id context" for staticSslContext
     bool generateHostCertificates; ///< dynamically make host cert for sslBump
     size_t dynamicCertMemCacheSize; ///< max size of generated certificates memory cache
 
     Ssl::SSL_CTX_Pointer staticSslContext; ///< for HTTPS accelerator or static sslBump
     Security::CertPointer signingCert; ///< x509 certificate for signing generated certificates
     Ssl::EVP_PKEY_Pointer signPkey; ///< private key for sighing generated certificates
     Ssl::X509_STACK_Pointer certsToChain; ///<  x509 certificates to send with the generated cert
     Security::CertPointer untrustedSigningCert; ///< x509 certificate for signing untrusted generated certificates
     Ssl::EVP_PKEY_Pointer untrustedSignPkey; ///< private key for signing untrusted generated certificates
 
     Ssl::X509_NAME_STACK_Pointer clientCA; ///< CA certificates to use when verifying client certificates
     Ssl::DH_Pointer dhParams; ///< DH parameters for temporary/ephemeral DH key exchanges
     char *eecdhCurve; ///< Elliptic curve for ephemeral EC-based DH key exchanges
 #endif
 };
 
 } // namespace AnyP
 
-/// list of Squid http_port configured
+/// list of Squid http(s)_port configured
 extern AnyP::PortCfgPointer HttpPortList;
 
-#if USE_OPENSSL
-/// list of Squid https_port configured
-extern AnyP::PortCfgPointer HttpsPortList;
-#endif
-
 /// list of Squid ftp_port configured
 extern AnyP::PortCfgPointer FtpPortList;
 
 #if !defined(MAXTCPLISTENPORTS)
 // Max number of TCP listening ports
 #define MAXTCPLISTENPORTS 128
 #endif
 
 // TODO: kill this global array. Need to check performance of array vs list though.
 extern int NHttpSockets;
 extern int HttpSockets[MAXTCPLISTENPORTS];
 
 #endif /* SQUID_ANYP_PORTCFG_H */
 

=== modified file 'src/cache_cf.cc'
--- src/cache_cf.cc	2015-10-09 06:02:01 +0000
+++ src/cache_cf.cc	2015-10-10 06:16:17 +0000
@@ -878,52 +878,45 @@
     }
 
     for (CachePeer *p = Config.peers; p != NULL; p = p->next) {
 
         // default value for ssldomain= is the peer host/IP
         if (p->secure.sslDomain.isEmpty())
             p->secure.sslDomain = p->host;
 
         if (p->secure.encryptTransport) {
             debugs(3, DBG_IMPORTANT, "Initializing cache_peer " << p->name << " TLS context");
             p->sslContext = p->secure.createClientContext(true);
             if (!p->sslContext) {
                 debugs(3, DBG_CRITICAL, "ERROR: Could not initialize cache_peer " << p->name << " TLS context");
                 self_destruct();
             }
         }
     }
 
 #if USE_OPENSSL
     for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
-        if (!s->flags.tunnelSslBumping)
+        if (!s->secure.encryptTransport)
             continue;
-
-        debugs(3, DBG_IMPORTANT, "Initializing http_port " << s->s << " SSL context");
+        debugs(3, DBG_IMPORTANT, "Initializing " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s << " TLS context");
         s->configureSslServerContext();
     }
-
-    for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
-        debugs(3, DBG_IMPORTANT, "Initializing https_port " << s->s << " SSL context");
-        s->configureSslServerContext();
-    }
-
 #endif
 
     // prevent infinite fetch loops in the request parser
     // due to buffer full but not enough data recived to finish parse
     if (Config.maxRequestBufferSize <= Config.maxRequestHeaderSize) {
         fatalf("Client request buffer of %u bytes cannot hold a request with %u bytes of headers." \
                " Change client_request_buffer_max or request_header_max_size limits.",
                (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
     }
 
     /*
      * Disable client side request pipelining if client_persistent_connections OFF.
      * Waste of resources queueing any pipelined requests when the first will close the connection.
      */
     if (Config.pipeline_max_prefetch > 0 && !Config.onoff.client_pconns) {
         debugs(3, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: pipeline_prefetch " << Config.pipeline_max_prefetch <<
                " requires client_persistent_connections ON. Forced pipeline_prefetch 0.");
         Config.pipeline_max_prefetch = 0;
     }
 

=== modified file 'src/cf.data.pre'
--- src/cf.data.pre	2015-10-10 07:11:39 +0000
+++ src/cf.data.pre	2015-10-10 07:11:59 +0000
@@ -2040,44 +2040,44 @@
 			timeout the time before giving up.
 
 	   require-proxy-header
 			Require PROXY protocol version 1 or 2 connections.
 			The proxy_protocol_access is required to whitelist
 			downstream proxies which can be trusted.
 
 	If you run Squid on a dual-homed machine with an internal
 	and an external interface we recommend you to specify the
 	internal address:port in http_port. This way Squid will only be
 	visible on the internal address.
 
 NOCOMMENT_START
 
 # Squid normally listens to port 3128
 http_port @DEFAULT_HTTP_PORT@
 NOCOMMENT_END
 DOC_END
 
 NAME: https_port
-IFDEF: USE_OPENSSL
+IFDEF: USE_GNUTLS||USE_OPENSSL
 TYPE: PortCfg
 DEFAULT: none
-LOC: HttpsPortList
+LOC: HttpPortList
 DOC_START
 	Usage:  [ip:]port [mode] cert=certificate.pem [options]
 
 	The socket address where Squid will listen for client requests made
 	over TLS or SSL connections. Commonly referred to as HTTPS.
 
 	This is most useful for situations where you are running squid in
 	accelerator mode and you want to do the TLS work at the accelerator level.
 
 	You may specify multiple socket addresses on multiple lines,
 	each with their own certificate and/or options.
 
 	The TLS cert= option is mandatory on HTTPS ports.
 
 	See http_port for a list of modes and options.
 DOC_END
 
 NAME: ftp_port
 TYPE: PortCfg
 DEFAULT: none

=== modified file 'src/client_side.cc'
--- src/client_side.cc	2015-09-27 10:30:23 +0000
+++ src/client_side.cc	2015-10-11 04:24:59 +0000
@@ -4359,137 +4359,108 @@
     }
     return true;
 }
 
 /// find any unused HttpSockets[] slot and store fd there or return false
 static bool
 AddOpenedHttpSocket(const Comm::ConnectionPointer &conn)
 {
     bool found = false;
     for (int i = 0; i < NHttpSockets && !found; ++i) {
         if ((found = HttpSockets[i] < 0))
             HttpSockets[i] = conn->fd;
     }
     return found;
 }
 
 static void
 clientHttpConnectionsOpen(void)
 {
     for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
+        const char *scheme = AnyP::UriScheme(s->transport.protocol).c_str();
+
         if (MAXTCPLISTENPORTS == NHttpSockets) {
-            debugs(1, DBG_IMPORTANT, "WARNING: You have too many 'http_port' lines.");
+            debugs(1, DBG_IMPORTANT, "WARNING: You have too many '" << scheme << "_port' lines.");
             debugs(1, DBG_IMPORTANT, "         The limit is " << MAXTCPLISTENPORTS << " HTTP ports.");
             continue;
         }
 
 #if USE_OPENSSL
-        if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) {
-            debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s);
-            s->flags.tunnelSslBumping = false;
-        }
-
-        if (s->flags.tunnelSslBumping &&
-                !s->staticSslContext &&
-                !s->generateHostCertificates) {
-            debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->s << " due to SSL initialization failure.");
-            s->flags.tunnelSslBumping = false;
-        }
         if (s->flags.tunnelSslBumping) {
-            // Create ssl_ctx cache for this port.
-            Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits<size_t>::max() ? 4194304 : s->dynamicCertMemCacheSize);
+            if (!Config.accessList.ssl_bump) {
+                debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << scheme << "_port " << s->s);
+                s->flags.tunnelSslBumping = false;
+            }
+            if (!s->staticSslContext && !s->generateHostCertificates) {
+                debugs(1, DBG_IMPORTANT, "Will not bump SSL at " << scheme << "_port " << s->s << " due to TLS initialization failure.");
+                s->flags.tunnelSslBumping = false;
+                if (s->transport.protocol == AnyP::PROTO_HTTP)
+                    s->secure.encryptTransport = false;
+            }
+            if (s->flags.tunnelSslBumping) {
+                // Create ssl_ctx cache for this port.
+                auto sz = s->dynamicCertMemCacheSize == std::numeric_limits<size_t>::max() ? 4194304 : s->dynamicCertMemCacheSize;
+                Ssl::TheGlobalContextStorage.addLocalStorage(s->s, sz);
+            }
         }
 #endif
 
-        // Fill out a Comm::Connection which IPC will open as a listener for us
-        //  then pass back when active so we can start a TcpAcceptor subscription.
-        s->listenConn = new Comm::Connection;
-        s->listenConn->local = s->s;
-        s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) | (s->flags.natIntercept ? COMM_INTERCEPTION : 0);
-
-        // setup the subscriptions such that new connections accepted by listenConn are handled by HTTP
-        typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
-        RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpAccept", CommAcceptCbPtrFun(httpAccept, CommAcceptCbParams(NULL)));
-        Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
-
-        AsyncCall::Pointer listenCall = asyncCall(33,2, "clientListenerConnectionOpened",
-                                        ListeningStartedDialer(&clientListenerConnectionOpened, s, Ipc::fdnHttpSocket, sub));
-        Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpSocket, listenCall);
-
-        HttpSockets[NHttpSockets] = -1; // set in clientListenerConnectionOpened
-        ++NHttpSockets;
-    }
-}
-
-#if USE_OPENSSL
-static void
-clientHttpsConnectionsOpen(void)
-{
-    for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
-        if (MAXTCPLISTENPORTS == NHttpSockets) {
-            debugs(1, DBG_IMPORTANT, "Ignoring 'https_port' lines exceeding the limit.");
-            debugs(1, DBG_IMPORTANT, "The limit is " << MAXTCPLISTENPORTS << " HTTPS ports.");
-            continue;
-        }
-
-        if (!s->staticSslContext) {
-            debugs(1, DBG_IMPORTANT, "Ignoring https_port " << s->s <<
-                   " due to SSL initialization failure.");
+        if (s->secure.encryptTransport && !s->staticSslContext) {
+            debugs(1, DBG_CRITICAL, "ERROR: Ignoring " << scheme << "_port " << s->s << " due to TLS context initialization failure.");
             continue;
         }
 
-        // TODO: merge with similar code in clientHttpConnectionsOpen()
-        if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) {
-            debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s);
-            s->flags.tunnelSslBumping = false;
-        }
-
-        if (s->flags.tunnelSslBumping && !s->staticSslContext && !s->generateHostCertificates) {
-            debugs(1, DBG_IMPORTANT, "Will not bump SSL at https_port " << s->s << " due to SSL initialization failure.");
-            s->flags.tunnelSslBumping = false;
-        }
-
-        if (s->flags.tunnelSslBumping) {
-            // Create ssl_ctx cache for this port.
-            Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits<size_t>::max() ? 4194304 : s->dynamicCertMemCacheSize);
-        }
-
         // Fill out a Comm::Connection which IPC will open as a listener for us
+        //  then pass back when active so we can start a TcpAcceptor subscription.
         s->listenConn = new Comm::Connection;
         s->listenConn->local = s->s;
+
         s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) |
                                (s->flags.natIntercept ? COMM_INTERCEPTION : 0);
 
-        // setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS
         typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
-        RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpsAccept", CommAcceptCbPtrFun(httpsAccept, CommAcceptCbParams(NULL)));
-        Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
+        if (s->transport.protocol == AnyP::PROTO_HTTP) {
+            // setup the subscriptions such that new connections accepted by listenConn are handled by HTTP
+            RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpAccept", CommAcceptCbPtrFun(httpAccept, CommAcceptCbParams(NULL)));
+            Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
+
+            AsyncCall::Pointer listenCall = asyncCall(33,2, "clientListenerConnectionOpened",
+                                            ListeningStartedDialer(&clientListenerConnectionOpened, s, Ipc::fdnHttpSocket, sub));
+            Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpSocket, listenCall);
+
+#if USE_OPENSSL
+        } else if (s->transport.protocol == AnyP::PROTO_HTTPS) {
+            // setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS
+            RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpsAccept", CommAcceptCbPtrFun(httpsAccept, CommAcceptCbParams(NULL)));
+            Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
+
+            AsyncCall::Pointer listenCall = asyncCall(33, 2, "clientListenerConnectionOpened",
+                                            ListeningStartedDialer(&clientListenerConnectionOpened,
+                                                    s, Ipc::fdnHttpsSocket, sub));
+            Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpsSocket, listenCall);
+#endif
+        }
 
-        AsyncCall::Pointer listenCall = asyncCall(33, 2, "clientListenerConnectionOpened",
-                                        ListeningStartedDialer(&clientListenerConnectionOpened,
-                                                s, Ipc::fdnHttpsSocket, sub));
-        Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpsSocket, listenCall);
-        HttpSockets[NHttpSockets] = -1;
+        HttpSockets[NHttpSockets] = -1; // set in clientListenerConnectionOpened
         ++NHttpSockets;
     }
 }
-#endif
 
 void
 clientStartListeningOn(AnyP::PortCfgPointer &port, const RefCount< CommCbFunPtrCallT<CommAcceptCbPtrFun> > &subCall, const Ipc::FdNoteId fdNote)
 {
     // Fill out a Comm::Connection which IPC will open as a listener for us
     port->listenConn = new Comm::Connection;
     port->listenConn->local = port->s;
     port->listenConn->flags =
         COMM_NONBLOCKING |
         (port->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) |
         (port->flags.natIntercept ? COMM_INTERCEPTION : 0);
 
     // route new connections to subCall
     typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
     Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
     AsyncCall::Pointer listenCall =
         asyncCall(33, 2, "clientListenerConnectionOpened",
                   ListeningStartedDialer(&clientListenerConnectionOpened,
                                          port, fdNote, sub));
     Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, port->listenConn, fdNote, listenCall);
@@ -4511,69 +4482,56 @@
     Must(Comm::IsConnOpen(s->listenConn));
 
     // TCP: setup a job to handle accept() with subscribed handler
     AsyncJob::Start(new Comm::TcpAcceptor(s, FdNote(portTypeNote), sub));
 
     debugs(1, DBG_IMPORTANT, "Accepting " <<
            (s->flags.natIntercept ? "NAT intercepted " : "") <<
            (s->flags.tproxyIntercept ? "TPROXY intercepted " : "") <<
            (s->flags.tunnelSslBumping ? "SSL bumped " : "") <<
            (s->flags.accelSurrogate ? "reverse-proxy " : "")
            << FdNote(portTypeNote) << " connections at "
            << s->listenConn);
 
     Must(AddOpenedHttpSocket(s->listenConn)); // otherwise, we have received a fd we did not ask for
 }
 
 void
 clientOpenListenSockets(void)
 {
     clientHttpConnectionsOpen();
-#if USE_OPENSSL
-    clientHttpsConnectionsOpen();
-#endif
     Ftp::StartListening();
 
     if (NHttpSockets < 1)
         fatal("No HTTP, HTTPS, or FTP ports configured");
 }
 
 void
 clientConnectionsClose()
 {
     for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
         if (s->listenConn != NULL) {
-            debugs(1, DBG_IMPORTANT, "Closing HTTP port " << s->listenConn->local);
-            s->listenConn->close();
-            s->listenConn = NULL;
-        }
-    }
-
-#if USE_OPENSSL
-    for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
-        if (s->listenConn != NULL) {
-            debugs(1, DBG_IMPORTANT, "Closing HTTPS port " << s->listenConn->local);
+            debugs(1, DBG_IMPORTANT, "Closing HTTP(S) port " << s->listenConn->local);
             s->listenConn->close();
             s->listenConn = NULL;
         }
     }
-#endif
 
     Ftp::StopListening();
 
     // TODO see if we can drop HttpSockets array entirely */
     for (int i = 0; i < NHttpSockets; ++i) {
         HttpSockets[i] = -1;
     }
 
     NHttpSockets = 0;
 }
 
 int
 varyEvaluateMatch(StoreEntry * entry, HttpRequest * request)
 {
     const char *vary = request->vary_headers;
     int has_vary = entry->getReply()->header.has(Http::HdrType::VARY);
 #if X_ACCELERATOR_VARY
 
     has_vary |=
         entry->getReply()->header.has(Http::HdrType::HDR_X_ACCELERATOR_VARY);

=== modified file 'src/ssl/helper.cc'
--- src/ssl/helper.cc	2015-05-18 12:50:03 +0000
+++ src/ssl/helper.cc	2015-10-10 06:35:44 +0000
@@ -29,42 +29,40 @@
 }
 
 Ssl::Helper::Helper() : ssl_crtd(NULL)
 {
 }
 
 Ssl::Helper::~Helper()
 {
     Shutdown();
 }
 
 void Ssl::Helper::Init()
 {
     assert(ssl_crtd == NULL);
 
     // we need to start ssl_crtd only if some port(s) need to bump SSL *and* generate certificates
     // TODO: generate host certificates for SNI enabled accel ports
     bool found = false;
     for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
         found = s->flags.tunnelSslBumping && s->generateHostCertificates;
-    for (AnyP::PortCfgPointer s = HttpsPortList; !found && s != NULL; s = s->next)
-        found = s->flags.tunnelSslBumping && s->generateHostCertificates;
     if (!found)
         return;
 
     ssl_crtd = new helper("ssl_crtd");
     ssl_crtd->childs.updateLimits(Ssl::TheConfig.ssl_crtdChildren);
     ssl_crtd->ipc_type = IPC_STREAM;
     // The crtd messages may contain the eol ('\n') character. We are
     // going to use the '\1' char as the end-of-message mark.
     ssl_crtd->eom = '\1';
     assert(ssl_crtd->cmdline == NULL);
     {
         char *tmp = xstrdup(Ssl::TheConfig.ssl_crtd);
         char *tmp_begin = tmp;
         char * token = NULL;
         bool db_path_was_found = false;
         bool block_size_was_found = false;
         char buffer[20] = "2048";
         while ((token = strwordtok(NULL, &tmp))) {
             wordlistAdd(&ssl_crtd->cmdline, token);
             if (!strcmp(token, "-b"))
@@ -121,42 +119,40 @@
     return &sslHelper;
 }
 
 Ssl::CertValidationHelper::CertValidationHelper() : ssl_crt_validator(NULL)
 {
 }
 
 Ssl::CertValidationHelper::~CertValidationHelper()
 {
     Shutdown();
 }
 
 void Ssl::CertValidationHelper::Init()
 {
     assert(ssl_crt_validator == NULL);
 
     // we need to start ssl_crtd only if some port(s) need to bump SSL
     bool found = false;
     for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
         found = s->flags.tunnelSslBumping;
-    for (AnyP::PortCfgPointer s = HttpsPortList; !found && s != NULL; s = s->next)
-        found = s->flags.tunnelSslBumping;
     if (!found)
         return;
 
     ssl_crt_validator = new helper("ssl_crt_validator");
     ssl_crt_validator->childs.updateLimits(Ssl::TheConfig.ssl_crt_validator_Children);
     ssl_crt_validator->ipc_type = IPC_STREAM;
     // The crtd messages may contain the eol ('\n') character. We are
     // going to use the '\1' char as the end-of-message mark.
     ssl_crt_validator->eom = '\1';
     assert(ssl_crt_validator->cmdline == NULL);
 
     int ttl = 60;
     size_t cache = 2048;
     {
         char *tmp = xstrdup(Ssl::TheConfig.ssl_crt_validator);
         char *tmp_begin = tmp;
         char * token = NULL;
         bool parseParams = true;
         while ((token = strwordtok(NULL, &tmp))) {
             if (parseParams) {

=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc	2015-10-03 05:26:00 +0000
+++ src/ssl/support.cc	2015-10-10 06:37:11 +0000
@@ -1420,79 +1420,73 @@
     // the reference count is not incremented and therefore the session must
     // not be explicitly freed with SSL_SESSION_free(3).
     *copy = 0;
     return session;
 }
 
 static void
 setSessionCallbacks(SSL_CTX *ctx)
 {
     if (SslSessionCache) {
         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL);
         SSL_CTX_sess_set_new_cb(ctx, store_session_cb);
         SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb);
         SSL_CTX_sess_set_get_cb(ctx, get_session_cb);
     }
 }
 
 static bool
 isSslServer()
 {
-    if (HttpsPortList != NULL)
-        return true;
-
     for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
+        if (s->secure.encryptTransport)
+            return true;
         if (s->flags.tunnelSslBumping)
             return true;
     }
 
     return false;
 }
 
 #define SSL_SESSION_ID_SIZE 32
 #define SSL_SESSION_MAX_SIZE 10*1024
 
 void
 Ssl::initialize_session_cache()
 {
 
     if (!isSslServer()) //no need to configure ssl session cache.
         return;
 
     // Check if the MemMap keys and data are enough big to hold
     // session ids and session data
     assert(SSL_SESSION_ID_SIZE >= MEMMAP_SLOT_KEY_SIZE);
     assert(SSL_SESSION_MAX_SIZE >= MEMMAP_SLOT_DATA_SIZE);
 
     int configuredItems = ::Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot);
     if (IamWorkerProcess() && configuredItems)
         SslSessionCache = new Ipc::MemMap(SslSessionCacheName);
     else {
         SslSessionCache = NULL;
         return;
     }
 
-    for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
-        if (s->staticSslContext.get() != NULL)
-            setSessionCallbacks(s->staticSslContext.get());
-    }
-
     for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
         if (s->staticSslContext.get() != NULL)
             setSessionCallbacks(s->staticSslContext.get());
     }
 }
 
 void
 destruct_session_cache()
 {
     delete SslSessionCache;
 }
 
 /// initializes shared memory segments used by MemStore
 class SharedSessionCacheRr: public Ipc::Mem::RegisteredRunner
 {
 public:
     /* RegisteredRunner API */
     SharedSessionCacheRr(): owner(NULL) {}
     virtual void useConfig();
     virtual ~SharedSessionCacheRr();

=== modified file 'src/tools.cc'
--- src/tools.cc	2015-08-30 00:26:47 +0000
+++ src/tools.cc	2015-10-10 06:21:06 +0000
@@ -404,47 +404,40 @@
 
 const char *
 getMyHostname(void)
 {
     LOCAL_ARRAY(char, host, SQUIDHOSTNAMELEN + 1);
     static int present = 0;
     struct addrinfo *AI = NULL;
     Ip::Address sa;
 
     if (Config.visibleHostname != NULL)
         return Config.visibleHostname;
 
     if (present)
         return host;
 
     host[0] = '\0';
 
     if (HttpPortList != NULL && sa.isAnyAddr())
         sa = HttpPortList->s;
 
-#if USE_OPENSSL
-
-    if (HttpsPortList != NULL && sa.isAnyAddr())
-        sa = HttpsPortList->s;
-
-#endif
-
     /*
      * If the first http_port address has a specific address, try a
      * reverse DNS lookup on it.
      */
     if ( !sa.isAnyAddr() ) {
 
         sa.getAddrInfo(AI);
         /* we are looking for a name. */
         if (getnameinfo(AI->ai_addr, AI->ai_addrlen, host, SQUIDHOSTNAMELEN, NULL, 0, NI_NAMEREQD ) == 0) {
             /* DNS lookup successful */
             /* use the official name from DNS lookup */
             debugs(50, 4, "getMyHostname: resolved " << sa << " to '" << host << "'");
 
             present = 1;
 
             Ip::Address::FreeAddr(AI);
 
             if (strchr(host, '.'))
                 return host;
         }
@@ -1061,50 +1054,40 @@
             fqdncacheAddEntryFromHosts(addr, hosts);
             wordlistDestroy(&hosts);
         }
     }
 
     fclose (fp);
 }
 
 int
 getMyPort(void)
 {
     AnyP::PortCfgPointer p;
     if ((p = HttpPortList) != NULL) {
         // skip any special interception ports
         while (p != NULL && p->flags.isIntercepted())
             p = p->next;
         if (p != NULL)
             return p->s.port();
     }
 
-#if USE_OPENSSL
-    if ((p = HttpsPortList) != NULL) {
-        // skip any special interception ports
-        while (p != NULL && p->flags.isIntercepted())
-            p = p->next;
-        if (p != NULL)
-            return p->s.port();
-    }
-#endif
-
     if ((p = FtpPortList) != NULL) {
         // skip any special interception ports
         while (p != NULL && p->flags.isIntercepted())
             p = p->next;
         if (p != NULL)
             return p->s.port();
     }
 
     debugs(21, DBG_CRITICAL, "ERROR: No forward-proxy ports configured.");
     return 0; // Invalid port. This will result in invalid URLs on bad configurations.
 }
 
 /*
  * Set the umask to at least the given mask. This is in addition
  * to the umask set at startup
  */
 void
 setUmask(mode_t mask)
 {
     // No way to get the current umask value without setting it.



More information about the squid-dev mailing list