[squid-dev] TLS session extended data

Christos Tsantilas christos at chtsanti.net
Fri Apr 14 11:40:26 UTC 2017


On 13/04/2017 01:22 πμ, Amos Jeffries wrote:
> OpenSSL uses extension-data API with SSL_set_ex_data() SSL_get_ex_data()
> to store extra details in one part of code and retrieve them in others.
>
> Thus the globals.h 'registrations' for these data:
>  extern int ssl_ex_index_server; /* -1 */
>  extern int ssl_ctx_ex_index_dont_verify_domain; /* -1 */
>  extern int ssl_ex_index_cert_error_check;   /* -1 */
>  extern int ssl_ex_index_ssl_error_detail;      /* -1 */
>  extern int ssl_ex_index_ssl_peeked_cert;      /* -1 */
>  extern int ssl_ex_index_ssl_errors;   /* -1 */
>  extern int ssl_ex_index_ssl_cert_chain;  /* -1 */
>  extern int ssl_ex_index_ssl_validation_counter;  /* -1 */

There is also the ssl_ex_index_ssl_untrusted_chain  which is not listed 
in globals.cc

>
> GnuTLS has a similar feature, BUT critical difference is that we have to
> store a raw-pointer and can only attach one to a session. We cannot
> register different datums like OpenSSL does.
>
>
> The obvious solution is merging the above items into a single custom
> class and have a static getter function to retrieve the relevant object
> from a session. Creating and attaching an instance of that class if the
> session has none yet.
>
> I intend to do it one at a time. Starting with ssl_ex_index_server, and
> moving on to the others only as the non-OpenSSL code needs them.
>
>
> Christos; this is most likely going to be a fairly major impact on your
> pending work, and need some of your time testing things work okay still.
>
>
> Amos
>



More information about the squid-dev mailing list