Author: Ricardo Ferreira Ribeiro
Author Date: 2026-02-11 03:03:25 UTC

Expand %x and %D after bumped SQUID_X509_V_ERR_DOMAIN_MISMATCH (#2373)

Squid detects SQUID_X509_V_ERR_DOMAIN_MISMATCH errors during various
processing stages, including when receiving an HTTP request on a
successfully bumped TLS connection. If that request targets a domain not
covered by the server certificate, and sslproxy_cert_error prohibits a
mismatch (it does by default), then Squid terminates the transaction
with an ERR_SECURE_CONNECT_FAIL response. That generated error response
body lacked %x and %D error details:

```diff
  The system returned:

- [No Error] (TLS code: [Unknown Error Code])
+ [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)

- [No Error Detail]
+ Certificate does not match domainname: /L=.../O=.../CN=example.com
```

The first `[No Error]` expansion of %E remains unchanged because this
particular error does not set `errno`.

ConnStateData::serveDelayedError() changes fix the above problem but %x
expansion in error pages and %err_detail in access log get a misleading
`+broken_cert` detail. To address that flaw, we changed the default for
broken certificate in Security::ErrorDetail constructor API from peer
certificate to nil. When broken certificate is nil, ErrorDetail now uses
valid certificate to expand %ssl_cn and similar certificate-inspecting
error page %codes.

All Security::ErrorDetail creators were checked and adjusted if needed:

* ConnStateData::serveDelayedError(): No caller changes. Using the new
  ErrorDetail creation API fixes this code by supplying nil broken
  certificate (because the certificate is _valid_ in this context).

* ssl_verify_cb(): No caller changes. We already use peer certificate as
  the default broken certificate because doing so is "reasonable" here.

* Security::PeerConnector::sslCrtvdCheckForErrors(): Adjusted to keep
  the original "if there was no error_cert_ID, then use peerCert"
  behavior while using new Security::ErrorDetail creation API.

Thus, the last two contexts are not affected by this error reporting API
change. The exceptional serveDelayedError() caller is affected, but
Squid did not report any certificate detail in that case until this
branch fixes, so this branch does not change one "reporting certificate"
to another; it only starts reporting (important) information when none
was available before.

This is a Measurement Factory project.

Author: Ricardo Ferreira Ribeiro
Author Date: 2026-02-11 03:03:25 UTC

Expand %x and %D after bumped SQUID_X509_V_ERR_DOMAIN_MISMATCH (#2373)

Squid detects SQUID_X509_V_ERR_DOMAIN_MISMATCH errors during various
processing stages, including when receiving an HTTP request on a
successfully bumped TLS connection. If that request targets a domain not
covered by the server certificate, and sslproxy_cert_error prohibits a
mismatch (it does by default), then Squid terminates the transaction
with an ERR_SECURE_CONNECT_FAIL response. That generated error response
body lacked %x and %D error details:

```diff
  The system returned:

- [No Error] (TLS code: [Unknown Error Code])
+ [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)

- [No Error Detail]
+ Certificate does not match domainname: /L=.../O=.../CN=example.com
```

The first `[No Error]` expansion of %E remains unchanged because this
particular error does not set `errno`.

ConnStateData::serveDelayedError() changes fix the above problem but %x
expansion in error pages and %err_detail in access log get a misleading
`+broken_cert` detail. To address that flaw, we changed the default for
broken certificate in Security::ErrorDetail constructor API from peer
certificate to nil. When broken certificate is nil, ErrorDetail now uses
valid certificate to expand %ssl_cn and similar certificate-inspecting
error page %codes.

All Security::ErrorDetail creators were checked and adjusted if needed:

* ConnStateData::serveDelayedError(): No caller changes. Using the new
  ErrorDetail creation API fixes this code by supplying nil broken
  certificate (because the certificate is _valid_ in this context).

* ssl_verify_cb(): No caller changes. We already use peer certificate as
  the default broken certificate because doing so is "reasonable" here.

* Security::PeerConnector::sslCrtvdCheckForErrors(): Adjusted to keep
  the original "if there was no error_cert_ID, then use peerCert"
  behavior while using new Security::ErrorDetail creation API.

Thus, the last two contexts are not affected by this error reporting API
change. The exceptional serveDelayedError() caller is affected, but
Squid did not report any certificate detail in that case until this
branch fixes, so this branch does not change one "reporting certificate"
to another; it only starts reporting (important) information when none
was available before.

This is a Measurement Factory project.

Author: Amos Jeffries
Author Date: 2026-02-07 00:33:40 UTC

Update FtpGateway.cc

Author: Amos Jeffries
Author Date: 2026-01-11 17:05:55 UTC

Revert "CI: Allow github merge queue to run build tests (#2334)"

This reverts commit f2f21b5d49d405a42690137c03de43fa42e1db01.

Author: Amos Jeffries
Author Date: 2025-11-04 21:23:34 UTC

Do not show arbitrary hostname in cachemgr.cgi output

Author: Amos Jeffries
Author Date: 2024-09-30 11:19:58 UTC

5.10 final

Author: Amos Jeffries
Author Date: 2022-08-09 23:34:54 UTC

Bug 3193 pt2: NTLM decoder truncating strings (#1114)

The initial bug fix overlooked large 'offset' causing integer
wrap to extract a too-short length string.

Improve debugs and checks sequence to clarify cases and ensure
that all are handled correctly.

Author: Armin Wolfermann
Author Date: 2020-02-04 20:15:00 UTC

fix security patch

Author: Francesco Chemolli
Author Date: 2018-10-21 13:06:33 UTC

Mingw build fixes

There are type errors and data access errors in windows-specific bits of
code.

Author: Garri Djavadyan
Author Date: 2016-12-17 13:56:49 UTC

Bug 4169: HIT marked as MISS when If-None-Match does not match

Author: Garri Djavadyan
Author Date: 2016-12-17 12:59:41 UTC

Bug 4169: HIT marked as MISS when If-None-Match does not match

Author: Garri Djavadyan
Author Date: 2016-12-17 10:04:42 UTC

Bug 4169: HIT marked as MISS when If-None-Match does not match

Author: Amos Jeffries
Author Date: 2016-12-17 06:37:44 UTC

Do not override user defined -std option

Author: Source Maintenance
Author Date: 2015-04-23 13:02:10 UTC

Docs: Update CONTRIBUTORS

Author: Amos Jeffries
Author Date: 2012-08-08 08:16:36 UTC

merged from trunk

Author: serassio <>
Author Date: 2008-03-02 23:54:50 UTC

Windows port: Add reconfigure action to cachemgr.

Author: robertc <>
Author Date: 2002-10-24 20:53:10 UTC

cbdata debug history