lp:~yadi/squid/crypto-ng-gnutls

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

14153. By Amos Jeffries on 2017-02-21

Merge from v4

14152. By Amos Jeffries on 2015-07-13

Shuffle CRL loading into PeerOptions class

Reduces code duplication in client and server CRL loading methods and
makes both use the more efficient memory storage mechanism so avoid file
I/O operations on outgoing https:// proxying traffic.

Also, implement basic CRL loading support for GnuTLS library.

14151. By Amos Jeffries on 2015-07-12

Provide PeerOptions method to load CA files into a security context

14150. By Amos Jeffries on 2015-07-11

Free security contexts with Security:: API

14149. By Amos Jeffries on 2015-07-10

Generate GnuTLS TLS context

14148. By Amos Jeffries on 2015-07-10

Crypto-NG: Use Security::PeerOptions for listening port TLS settings

The bulk of this patch is symbol shuffling to de-duplicate the TLS
settings storage and parsing code.

* Shuffle relevant AnyP::PortCfg settings into a Security::PeerOptions
  member object.
 - removes a lot of duplicate config parsing code.

* Remove the now obsolete and unused Ssl::OpenSSLtoSquidSSLVersion()

The actual logic changes are relatively small:

* Shuffle flags= and options= parsing code from Ssl:: to
  Security::PeerOptions and update to use Tokenizer,
 - fixes performance regression using c_str() on the stored SBuf,
 - fixes performance issue with xstrdup() for option tokens,
 - removes several calls to c-string manipulation.

* Add cachemgr 'config' report dumper of Security::PeerOptions for use
  by all directives using it to dump tls-* parameter names. The old
  parameter names are still accepted, and deprecation will follow in a
  separate patch.
 - fixes bug where cache_peer was not dumping out its SSL/TLS config
  settings at all.

* Change the tls_outgoing_options default value from "disable" to setting
  TLS/1.0 minimum version.
  - fixes squid.conf parsing error on default value "disable".

* Fix tls-min-version=1.N handling not to alter stored options= config
  string. Now updates the binary representation in parsedOptions directly.

* Expose the TLS context creation and configuration to non-OpenSSL builds.
 - fixes bug where context creation by OpenSSL failed silently.

14147. By Source Maintenance <email address hidden> on 2015-07-09

SourceFormat Enforcement

14146. By Christos Tsantilas on 2015-07-09

Avoid SSL certificate db corruption with empty index.txt as a symptom.

* Detect cases where the size file is corrupted or has a clearly wrong
  value. Automatically rebuild the database in such cases.

* Teach ssl_crtd to keep running if it is unable to store the generated
  certificate in the database. Return the generated certificate to Squid
  and log an error message in such cases.

Background:

There are cases where ssl_crtd may corrupt its certificate database.
The known cases manifest themselves with an empty db index file. When
that happens, ssl_crtd helpers quit, SSL bumping does not work any more,
and the certificate DB has to be deleted and re-initialized.

We do not know exactly what causes corruption in deployments, but one
known trigger that is easy to reproduce in a lab is the block size
change in the ssl_crtd configuration. That change has the following
side-effects:

1. When ssl_crtd removes certificates, it computes their size using a
   different block size than the one used to store the certificates.
   This is may result in negative database sizes.

2. Signed/unsigned conversion results in a huge number near LONG_MAX,
   which is then written to the "size" file.

3. The ssl_crtd helper remoces all certificates from database trying to make
   space for new certificates.

4. The ssl_crtd helper refuses to store new certificates because the
   database size (as described by the "size" file) still exceeds the
   configured limit.

5. The ssl_crtd helper exits because it cannot store a new certificates
   to the database. No helper response is sent to Squid in this case.

Most likely, there are other corruption triggers -- the database
management code is of an overall poor quality. This change resolves some
of the underlying problems in hope to address at least some of the
unknown triggers as well as the known one.

This is a Measurement Factory project.

14145. By Christos Tsantilas on 2015-07-09

Errors served using invalid certificates when dealing with SSL server errors.

When bumping Squid needs to send an Squid-generated error "page" over a
secure connection, Squid needs to generate a certificate for that connection.
Prior to these changes, several scenarios could lead to Squid generating
a certificate that clients could not validate. In those cases, the user would
get a cryptic and misleading browser error instead of a Squid-generated
error page with useful details about the problem.

For example, is a server certificate that is rejected by the certificate
validation helper. Squid no longer uses CN from that certificate to generate
a fake certificate.

Another example is a user accessing an origin server using one of its
"alternative names" and getting a Squid-generated certificate containing just
the server common name (CN).

These changes make sure that certificate for error pages is generated using
SNI (when peeking or staring, if available) or CONNECT host name (including
server-first bumping mode). We now update the ConnStateData::sslCommonName
field (used as CN field for generated certificates) only _after_ the server
certificate is successfully validated.

This is a Measurement Factory project.

14144. By Amos Jeffries on 2015-07-09

IPv6: improve BCP 177 compliance

Always perform the IP transport probes to detect IPv6 availability.

* Accept lack of IPv6 assignment as per normal by auto-disabling IPv6.

* Whine loudly if (and only if) it would have worked but has been
  forced OFF by --disable-ipv6.