lp:~yadi/squid/crypto-ng-gnutls
- Get this branch:
- bzr branch lp:~yadi/squid/crypto-ng-gnutls
Branch merges
Branch information
Recent revisions
- 14152. By Amos Jeffries
-
Shuffle CRL loading into PeerOptions class
Reduces code duplication in client and server CRL loading methods and
makes both use the more efficient memory storage mechanism so avoid file
I/O operations on outgoing https:// proxying traffic.Also, implement basic CRL loading support for GnuTLS library.
- 14148. By Amos Jeffries
-
Crypto-NG: Use Security:
:PeerOptions for listening port TLS settings The bulk of this patch is symbol shuffling to de-duplicate the TLS
settings storage and parsing code.* Shuffle relevant AnyP::PortCfg settings into a Security:
:PeerOptions
member object.
- removes a lot of duplicate config parsing code.* Remove the now obsolete and unused Ssl::OpenSSLtoS
quidSSLVersion( ) The actual logic changes are relatively small:
* Shuffle flags= and options= parsing code from Ssl:: to
Security::PeerOptions and update to use Tokenizer,
- fixes performance regression using c_str() on the stored SBuf,
- fixes performance issue with xstrdup() for option tokens,
- removes several calls to c-string manipulation.* Add cachemgr 'config' report dumper of Security:
:PeerOptions for use
by all directives using it to dump tls-* parameter names. The old
parameter names are still accepted, and deprecation will follow in a
separate patch.
- fixes bug where cache_peer was not dumping out its SSL/TLS config
settings at all.* Change the tls_outgoing_
options default value from "disable" to setting
TLS/1.0 minimum version.
- fixes squid.conf parsing error on default value "disable".* Fix tls-min-version=1.N handling not to alter stored options= config
string. Now updates the binary representation in parsedOptions directly.* Expose the TLS context creation and configuration to non-OpenSSL builds.
- fixes bug where context creation by OpenSSL failed silently. - 14146. By Christos Tsantilas
-
Avoid SSL certificate db corruption with empty index.txt as a symptom.
* Detect cases where the size file is corrupted or has a clearly wrong
value. Automatically rebuild the database in such cases.* Teach ssl_crtd to keep running if it is unable to store the generated
certificate in the database. Return the generated certificate to Squid
and log an error message in such cases.Background:
There are cases where ssl_crtd may corrupt its certificate database.
The known cases manifest themselves with an empty db index file. When
that happens, ssl_crtd helpers quit, SSL bumping does not work any more,
and the certificate DB has to be deleted and re-initialized.We do not know exactly what causes corruption in deployments, but one
known trigger that is easy to reproduce in a lab is the block size
change in the ssl_crtd configuration. That change has the following
side-effects:1. When ssl_crtd removes certificates, it computes their size using a
different block size than the one used to store the certificates.
This is may result in negative database sizes.2. Signed/unsigned conversion results in a huge number near LONG_MAX,
which is then written to the "size" file.3. The ssl_crtd helper remoces all certificates from database trying to make
space for new certificates.4. The ssl_crtd helper refuses to store new certificates because the
database size (as described by the "size" file) still exceeds the
configured limit.5. The ssl_crtd helper exits because it cannot store a new certificates
to the database. No helper response is sent to Squid in this case.Most likely, there are other corruption triggers -- the database
management code is of an overall poor quality. This change resolves some
of the underlying problems in hope to address at least some of the
unknown triggers as well as the known one.This is a Measurement Factory project.
- 14145. By Christos Tsantilas
-
Errors served using invalid certificates when dealing with SSL server errors.
When bumping Squid needs to send an Squid-generated error "page" over a
secure connection, Squid needs to generate a certificate for that connection.
Prior to these changes, several scenarios could lead to Squid generating
a certificate that clients could not validate. In those cases, the user would
get a cryptic and misleading browser error instead of a Squid-generated
error page with useful details about the problem.For example, is a server certificate that is rejected by the certificate
validation helper. Squid no longer uses CN from that certificate to generate
a fake certificate.Another example is a user accessing an origin server using one of its
"alternative names" and getting a Squid-generated certificate containing just
the server common name (CN).These changes make sure that certificate for error pages is generated using
SNI (when peeking or staring, if available) or CONNECT host name (including
server-first bumping mode). We now update the ConnStateData::sslCommonName
field (used as CN field for generated certificates) only _after_ the server
certificate is successfully validated.This is a Measurement Factory project.
- 14144. By Amos Jeffries
-
IPv6: improve BCP 177 compliance
Always perform the IP transport probes to detect IPv6 availability.
* Accept lack of IPv6 assignment as per normal by auto-disabling IPv6.
* Whine loudly if (and only if) it would have worked but has been
forced OFF by --disable-ipv6.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:~squid/squid/trunk