[squid-users] sslcrtvalidator_program input not separated by "\1"?

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 25 11:31:08 UTC 2025 

I see that note in the documentation predates the protocol change to 
include size parameters.

In modern Squid it only applies to the **response** from certificate 
generator/validator helpers back to Squid.


Your helper should do what the example 'fake' helper does;
  * read one '\n' terminated line of input.
  * parse the ( result SP size SP ) out of that first line
  * loop until more '\n' terminated lines have arrived providing a total 
of 'size' bytes worth of kv-pairs (aka "body").
  * ignore any garbage received on final \n terminated line (should only 
be a CRLF).
  * send reply followed by the '\1' character.


Amos


On 25/03/25 23:37, Robert 'Bobby' Zenz wrote:
> I'm currently implementing an extended certificate verification script
> for usage with "sslcrtvalidator_program", but I've encountered a hiccup
> during that.
> 
> The documentation at
> https://wiki.squid-cache.org/Features/SslServerCertValidator#helper-communication-protocol
> is suggesting that the script will receive "lines" which are separated
> by a 0x01 byte.
> 
>   > Input line received from Squid:
>   >
>   >     request size [kv-pairs]
>   >
>   >  > :warning: line refers to a logical input. body may contain \n
>   >  > characters so each line in this format is delimited by a 0x01 byte
>   >  > instead of the standard \n byte.
> 
> However, as far as I can tell that's not the case, the
> input "lines" are not separated by 0x01. The example script at
> https://github.com/squid-cache/squid/blob/master/src/security/cert_validators/fake/security_fake_certverify.pl.in
> seems to be aware of that, as it reads the input line based on the body
> length provided.
> 
> My script is written in AWK, basically it can be summed up as:
> 
>      BEGIN {
>          RS = "\1"
>      }
>      
>      {
>          print("<" $1 ">")>"/dev/stderr"
>          printf("BH message=\"TEST\"\1")
>      }
> 
> And it never starts processing any input from Squid because 0x01 doesn't
> seem to be sent at all. I did have a quick look at the helper.cc, and it
> doesn't seem to use the "eom" during sending the message at all.
> 
> Am I misunderstanding the documentation here? Is my script/approach
> broken somehow and do I need to adjust that to read lines based on
> provided length?
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list