Squid

lp:~measurement-factory/squid/fast-sni

Created by Christos Tsantilas and last modified
Get this branch:
bzr branch lp:~measurement-factory/squid/fast-sni
Members of Measurement Factory can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Measurement Factory
Project:
Squid
Status:
Merged

Recent revisions

14634. By Christos Tsantilas

sync with trunk-r14669

14633. By Christos Tsantilas

Polishing fixes

Code formatting, variables fixing, comments and debug messages

Most of them proposed by Amos on squid-dev review procedure.

14632. By Christos Tsantilas

merge from trunk-r14667

14631. By Christos Tsantilas

run formatter

14630. By Christos Tsantilas

Fix comment about v23 ciphers

Also add the RFC links

14629. By Christos Tsantilas

Polishing fixes

 - Replace Handshake::details pointer with an always-available object
 - Replace Security::ProtocolVersion and its "int" representation in TlsDetails
   and NegotiationHistory classes with the existing Anyp::ProtocolVersion
 - Fix TlsDetails::compressMethod. The clients may send a compression methods
   list with a NULL compression method.
   Rename to TlsDetails::compressionSupported.
 - Other minor fixes.

14628. By Alex Rousskov

Fixed header guard style.

14627. By Alex Rousskov

Fixed lack of heartbeat detection.

14626. By Alex Rousskov

Optimization: Spend less CPU and RAM on adjustSSL(). Speed gain: ~5%.

Do not store extension types just to iterate over them in adjustSSL().
Check for extension support while parsing instead. Since the list of
OpenSSL-supported extensions is constant (does not depend on the
connection), we do not need to create and index extension storage once
for each TLS connection; we now do it once per worker lifetime instead.

Use std::unordered_set instead of std::list for ciphers. Most real-world
cipher lists probably contain dozens of 2-byte entries, making std::list
storage a poor choice. Unlike TLS extensions, supported ciphers depend
on the connection so we have to store all of them to check whether each
stored cipher is supported for the SSL connection object created later.
Having an O(1) lookup speeds up that last check a lot compared to the
old linear search across all stored ciphers.

Do fast adjustSSL() checks before the longer cipher loop check.

Acknowledge TLS_EMPTY_RENEGOTIATION_INFO_SCSV pseudo cipher support.

Added TLSEXT_TYPE_signature_algorithms(13) and
TLSEXT_TYPE_next_proto_neg(13172) to the list of TLS extensions
supported by OpenSSL and recognized by Squid. Recognizing these
extensions is necessary for adjustSSL() to work in more real-world
cases.

Also sorted TLSEXT_TYPE_* entries and replaced "#if 0" code with a way
to build Squid to recognize more extensions as OpenSSL's list grows.

14625. By Alex Rousskov

Finalized BinaryTokenizer context handling. Polished.

No more funny context fields inside TLS structures. Context is handled
by the parsing code without needlessly storing it long-term.

Hid TLS structures/parsers used exclusively by
Security::HandshakeParser inside security/Handshake.cc to simplify API.

Also skipped unused ServerHello.random (instead of storing it in
TlsDetails::clientRandom) and replaced SQUID_TLS_RANDOM_SIZE macro
with a regular C++ constant.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:~squid/squid/trunk
This branch contains Public information 
Everyone can see this information.