[squid-dev] [PATCH] Handle SSL v2 Hello
Amos Jeffries
squid3 at treenet.co.nz
Tue Sep 1 09:14:07 UTC 2015
On 1/09/2015 6:13 p.m., Amos Jeffries wrote:
> On 1/09/2015 5:32 p.m., Alex Rousskov wrote:
>> Hello,
>>
>> The attached trunk and v3.5 patches allow Squid to splice SSLv3 and
>> TLSv1 sessions that start with an SSL v2 Hello message. Such sessions
>> are created, for example, by some SSL clients using OpenSSL v0.9.8 with
>> default options. These patches do _not_ re-enable SSLv2 sessions support
>> in trunk.
>>
>> Bumping TLSv1 sessions that start with SSL v2 Hello also appears to work.
>>
>>
>> In my tests, attempts to bump SSLv3 sessions that start with SSL v2
>> Hello message terminate during server handshake if Squid stares at the
>> server certificate (i.e., if an "ssl_bump stare" rule matches at bumping
>> step #2). When this happens, Squid logs the following error message:
>>
>> 2015/08/31 22:11:56.459| Error negotiating SSL on FD 14:
>> error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry
>> (1/-1/0)
>>
>> However, AFAICT, the same or similar problem exists in the unpatched
>> Squid (for connections that start with SSL v3 Hello). It could be
>> another bug or a deficiency of my test setup.
>
>
> +1. Looks good to me.
>
> Please apply to trunk ASAP. Or if you dont get this within an hour or so
> I will apply it on your behalf so this can make 3.5.8.
>
Applied to trunk as rev.14278.
Cheers
Amos
More information about the squid-dev
mailing list