[squid-dev] [PATCH make ssl-bump implicit on HTTPS interception ports
Amos Jeffries
squid3 at treenet.co.nz
Tue Jun 14 02:55:43 UTC 2016
Using an https_port with intercept or tproxy is pretty useless without
ssl-bump being enabled. So auto-enable the 'ssl-bump' option on those
ports instead of aborting with an error about ssl-bump being needed.
The result of this should be that the intercepted traffic gets received
by either the 'unknown protocol' pass-thru settings or the admins other
ssl-bump related settings enacted.
Amos
-------------- next part --------------
=== modified file 'doc/release-notes/release-4.sgml'
--- doc/release-notes/release-4.sgml 2016-06-09 20:31:15 +0000
+++ doc/release-notes/release-4.sgml 2016-06-13 14:45:42 +0000
@@ -272,6 +272,8 @@
<p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
<p>Manual squid.conf update may be required on upgrade.
<p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries.
+ <p><em>ssl-bump</em> is now implicitly enabled for <em>intercept</em> or
+ <em>tproxy</em> ports.
<tag>icap_service</tag>
<p>New scheme <em>icaps://</em> to enable TLS/SSL connections to Secure ICAP
=== modified file 'src/cache_cf.cc'
--- src/cache_cf.cc 2016-04-03 23:41:58 +0000
+++ src/cache_cf.cc 2016-06-13 14:24:22 +0000
@@ -3696,10 +3696,9 @@
debugs(3, DBG_CRITICAL, "FATAL: ssl-bump on https_port requires tproxy/intercept which is missing.");
self_destruct();
}
- if (hijacked && !s->flags.tunnelSslBumping) {
- debugs(3, DBG_CRITICAL, "FATAL: tproxy/intercept on https_port requires ssl-bump which is missing.");
- self_destruct();
- }
+ // intercepted traffic on https_port implies 'ssl-bump'
+ if (hijacked && !s->flags.tunnelSslBumping)
+ s->flags.tunnelSslBumping = true;
#endif
if (s->flags.proxySurrogate) {
debugs(3,DBG_CRITICAL, "FATAL: https_port: require-proxy-header option is not supported on HTTPS ports.");
@@ -3814,7 +3813,8 @@
}
#if USE_OPENSSL
- if (s->flags.tunnelSslBumping)
+ // ssl-bump is implicit for HTTPS intercept/tproxy ports, otherwise explicit
+ if (s->flags.tunnelSslBumping && !s->flags.isIntercepted())
storeAppendPrintf(e, " ssl-bump");
#endif
More information about the squid-dev
mailing list