[squid-users] [PATCH] SSL: Add suport for EECDH and disable client-initiated renegotiation
Amos Jeffries
squid3 at treenet.co.nz
Mon May 25 13:46:00 UTC 2015
On 25/05/2015 11:30 p.m., Paulo Matias wrote:
> Hi,
>
> Sorry for getting this sent to squid-users instead of the adequate
> mailing list for patches (squid-dev). We have tried to send the
> patch to squid-dev without a subscription (as recommended in
> http://www.squid-cache.org/Support/mailing-lists.html#squid-dev),
> but perhaps the message did not get to the list administrator.
>
Could you subscribe then please and post it (or the updated version
after below). This has effects that I'd like our SSL devs to double check.
For my part on the audit:
* please separate into two patches - one for the renegotiation changes,
one for the EECDH.
* please avoid #ifdef and #ifndef in new code.
- use #if defined() style instead.
Renegotiation:
* please wrap the entire ssl_info_cb() definition in the #if
conditionals and the appropriate calling lines.
I know its a bit messy, but increasingly the library builds are lacking
renegtiation support entirely so this means smaller/faster builds.
EECDH:
FYI: with the deprecation of SSLv3 I'm working now towards a cleanup of
the SSL options with removals where possible.
* the DH parameters I think would be better added as a new option
"tls-dh=curve:/path/to/params" where the 'curve' part is optional and
implies EC when present - non-EC when absent.
* SINGLE_ECDH_USE needs to be documented in release-4.sgml
"New <em>options=SINGLE_ECDH_USE</em> parameter to ..."
* The ECDH changes affect both https_port and http_port. They need
separate listings for each under changed directives, duplicate text on
the line items is fine.
* please implement (duplicate) all this UI parse change using the
Security::PeerOptions object (src/security/PeerOptions.*)
- the src/ssl/* code for UI parsing and config storage is 'legacy' only
use by http(s)_port directives.
- this may require some small changes suitable for use on client contexts
- UI options added to Security::PeerOptions get documented in
release-4.sgml as changes for both cache_peer and tls_outgoing_options.
- also in cf.data.pre for those directives
* configureSslEECDH() return true in the event that the chosen
configuration options are not even available.
- please make an #else condition that displays an ERROR message at
level DBG_CRITICAL about the option(s) not being available, then return
false.
- variable 'ok' can then become const (define on assignment) and move
fully inside the #if case.
Amos
More information about the squid-users
mailing list