lp:~rousskov/squid/DynamicSslCert
This Squid feature generates site SSL certificates that match the proxied site domain name. The feature relies on Squid SslBump functionality and trust model.
- Get this branch:
- bzr branch lp:~rousskov/squid/DynamicSslCert
Branch merges
Branch information
Recent revisions
- 9342. By Alex Rousskov
-
Cannot use request->GetHost() when calling switchToHttps() because
switchToHttps() calls freeAllContexts() which frees request. - 9340. By Alex Rousskov
-
DynamicSslCert, phase1: Dynamically generate host certificates using OpenSSL
shell commands.This support will either become more configurable or, more likely, will be
removed in favor of using OpenSSL library calls to generate said certificates.
We started with using shell commands because that interface felt easier to
debug and tune.The low-level code to generate the certificates is in ssl_support. Here we
focus on deciding whether the certificates should be generated dynamically and
supplying generation parameters. - 9339. By Alex Rousskov
-
Added fde::dynamicSsl
Context to store the dynamic context pointer and delete
the context when the descriptor is being closed. We use a similar trick for
the SSL session in fde::ssl.It is not 100% clear to me why it is safe to store a pointer in two places and
delete it in one, but apparently there are no situations where the core code
uses the SSL pointer after closing the descriptor. If there are such cases,
we should refcount the corresponding SSL objects. - 9338. By Alex Rousskov
-
Added low-level support for generating self- and CA-signed host SSL
certificates using OpenSSL shell commands.This support will either become more configurable or, more likely, will be
removed in favor of using OpenSSL library calls to generate said certificates.
We started with using shell commands because that interface felt easier to
debug and tune. - 9337. By Alex Rousskov
-
Added generate-
host-certificat es and ca-config http_port options to
control dynamic generation of host certificates for SslBumpSynced with the following http_port_list changes:
* Renamed http_port_
list::sslcontex t to sslContextSessionId to be more precise
and to avoid clashes with other things named "SSL context".
* Renamed http_port_list::sslContex t to staticSslContext to distinguish from
dynamic SSL contexts generated for each server host and to avoid clashes with
other things named "SSL context" - 9336. By Alex Rousskov
-
Added generateHostCer
tificates and caConfig http_port_list members to
control dynamic generation of host certificates for SslBumpRenamed http_port_
list::sslcontex t to sslContextSessionId to be more precise
and to avoid clashes with other things named "SSL context". The squid.conf
option remains to be called "sslcontext" but should probably be renamed.Renamed http_port_
list::sslContex t to staticSslContext to distinguish from
dynamic SSL contexts generated for each server host and to avoid clashes
with other things named "SSL context"Free some old and all newly added http_port_list members in the destructor.
- 9335. By Alex Rousskov
-
Fixed "src/Makefile.
am:981: whitespace following trailing backslash" warning. - 9334. By Amos Jeffries
-
Fix build error in testDiskIO.
Disk IO Modules sources should have been included through the DiskIO
libraries. Not directly as .o files.TODO: Still one more build error with Store objects to track down.
Branch metadata
- Branch format:
- Branch format 6
- Repository format:
- Bazaar pack repository format 1 (needs bzr 0.92)