[squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.

Christos Tsantilas christos at chtsanti.net
Fri Nov 4 17:45:42 UTC 2016


The SQUID-211-Skype_groups_and_msnp_bypass-t11.patch applied to trunk as 
r14913
The SQUID-211-FwdState_connectStart_cleanup-t1.patch patch applied as r14914

The final applied patch has one more change over the t10 patch, it 
merges the ConnStateData::startPeekAndSplice() and 
CoinnStateData::startPeekAndSpliceDone() to one method.
This is possible because the r14898 and this patch removes any extra 
call from old startPeekAndSplice method.

I am attaching the final patch as t11.


On 11/02/2016 12:59 AM, Amos Jeffries wrote:
> On 2/11/2016 4:31 a.m., Christos Tsantilas wrote:
>> On 10/28/2016 01:11 PM, Amos Jeffries wrote:
>>> On 21/10/2016 3:55 a.m., Christos Tsantilas wrote:
>>>>
>>>> Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.
>>>>
>>>> Use case: Skype groups appear to use TLS-encrypted MSNP protocol instead
>>>> of HTTPS. This change allows Squid admins using SslBump to tunnel Skype
>>>> groups and similar non-HTTP traffic bytes via "on_unsupported_protocol
>>>> tunnel all". Previously, the combination resulted in encrypted HTTP 400
>>>> (Bad Request) messages sent to the client (that does not speak HTTP).
>>>>
>>>> Also this patch:
>>>>  * fixes bug 4529: !EBIT_TEST(entry->flags, ENTRY_FWD_HDR_WAIT)
>>>>    assertion in FwdState.cc.
>>>>
>>>>  * when splicing transparent connections during SslBump step1, avoid
>>>>    access-logging an extra record and log %ssl::bump_mode as the
>>>> expected
>>>>    "splice" not "none".
>>>>
>>>>  * handles an XXX comment inside clientTunnelOnError for possible memory
>>>>    leak of client streams related objects
>>>>
>>>>  * fixes TunnelStateData logging in the case of splicing after peek.
>>>>
>>>> This is a Measurement Factory project.
>>>
>>>
>>> Are any of these additional fixes able to be easily broken out into
>>> separate patches? It would greatly help the auditing process to get
>>> smaller patches.
>>>
>>> in src/FwdState.cc:
>>>
>>> * Most of the changed lines are a needless de-scoping of code.
>>>  - note that the sub-scope existed to begin with so as to silence noisy
>>> false-positives by static analysis tools (trunk rev.14790).
>>
>> I make FwdState related fixes a separate patch and I remove it from main
>> patch.
>> Do you believe that the SQUID-211-FwdState_connectStart_cleanup-t1.patch
>> will cause problems to Squid?
>> We can just remove the line :
>>   pinned_connection->stopPinnedConnectionMonitoring();
>>
>
> It is not problems in Squid itself, but in the analysis tools being
> confused. We can try this one and see how it goes.
>
>
>>>
>>>  - please take advantage of the surrounding code being re-written to
>>> cleanup:
>>>     if (peer_paths == NULL || peer_paths->size() < 1) {
>>>         debugs(26, 3, HERE << "No paths found. Aborting CONNECT");
>>> as:
>>>     if (!peer_paths || peer_paths->size() < 1) {
>>>         debugs(26, 3, "No paths found. Aborting CONNECT");
>>
>>
>> I did not this fix Amos.
>> I will make a separate commit after this patch committed if you want it.
>>
>
> I'm okay with that. Please do it the way Alex suggested though that is
> slightly better.
>
> +1.
>
> Amos
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-211-Skype_groups_and_msnp_bypass-t11.patch
Type: text/x-patch
Size: 91909 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20161104/bbbea014/attachment-0001.bin>


More information about the squid-dev mailing list