--------------------- PatchSet 6223 Date: 2004/06/09 14:20:03 Author: hno Branch: ssl-2_5 Tag: (none) Log: sslcontext= option I/O cleanups to correct issues with POST requests to https_port Members: src/cache_cf.c:1.38.6.9.2.10->1.38.6.9.2.11 src/cf.data.pre:1.49.2.27.2.16->1.49.2.27.2.17 src/client_side.c:1.47.2.21.2.14->1.47.2.21.2.15 src/ssl_support.c:1.6.6.1.2.8->1.6.6.1.2.9 Index: squid/src/cache_cf.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cache_cf.c,v retrieving revision 1.38.6.9.2.10 retrieving revision 1.38.6.9.2.11 diff -u -r1.38.6.9.2.10 -r1.38.6.9.2.11 --- squid/src/cache_cf.c 9 Jun 2004 14:14:07 -0000 1.38.6.9.2.10 +++ squid/src/cache_cf.c 9 Jun 2004 14:20:03 -0000 1.38.6.9.2.11 @@ -1,6 +1,6 @@ /* - * $Id: cache_cf.c,v 1.38.6.9.2.10 2004/06/09 14:14:07 hno Exp $ + * $Id: cache_cf.c,v 1.38.6.9.2.11 2004/06/09 14:20:03 hno Exp $ * * DEBUG: section 3 Configuration File Parsing * AUTHOR: Harvest Derived @@ -2420,13 +2420,16 @@ } else if (strncmp(token, "sslflags=", 9) == 0) { safe_free(s->sslflags); s->sslflags = xstrdup(token + 9); + } else if (strncmp(token, "sslcontext=", 11) == 0) { + safe_free(s->sslcontext); + s->sslcontext = xstrdup(token + 11); } else { self_destruct(); } } while (*head) head = &(*head)->next; - s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->dhfile); + s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->dhfile, s->sslcontext); if (!s->sslContext) self_destruct(); *head = s; Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.49.2.27.2.16 retrieving revision 1.49.2.27.2.17 diff -u -r1.49.2.27.2.16 -r1.49.2.27.2.17 --- squid/src/cf.data.pre 9 Jun 2004 14:14:08 -0000 1.49.2.27.2.16 +++ squid/src/cf.data.pre 9 Jun 2004 14:20:03 -0000 1.49.2.27.2.17 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.49.2.27.2.16 2004/06/09 14:14:08 hno Exp $ +# $Id: cf.data.pre,v 1.49.2.27.2.17 2004/06/09 14:20:03 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -156,6 +156,8 @@ Don't use the default CA list built in to OpenSSL. + sslcontext= SSL session ID context identifier. + DOC_END NAME: ssl_unclean_shutdown Index: squid/src/client_side.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/client_side.c,v retrieving revision 1.47.2.21.2.14 retrieving revision 1.47.2.21.2.15 diff -u -r1.47.2.21.2.14 -r1.47.2.21.2.15 --- squid/src/client_side.c 9 Jun 2004 14:14:08 -0000 1.47.2.21.2.14 +++ squid/src/client_side.c 9 Jun 2004 14:20:03 -0000 1.47.2.21.2.15 @@ -1,6 +1,6 @@ /* - * $Id: client_side.c,v 1.47.2.21.2.14 2004/06/09 14:14:08 hno Exp $ + * $Id: client_side.c,v 1.47.2.21.2.15 2004/06/09 14:20:03 hno Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -3457,23 +3457,53 @@ case SSL_ERROR_WANT_WRITE: commSetSelect(fd, COMM_SELECT_WRITE, clientNegotiateSSL, conn, 0); return; + case SSL_ERROR_SYSCALL: + if (ret == 0) { + debug(83, 2) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: Aborted by client\n", fd); + comm_close(fd); + return; + } else { + int hard = 1; + if (errno == ECONNRESET) + hard = 0; + debug(83, hard ? 1 : 2) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: %s (%d)\n", + fd, strerror(errno), errno); + comm_close(fd); + return; + } + case SSL_ERROR_ZERO_RETURN: + debug(83, 1) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: Closed by client\n", fd); + comm_close(fd); + return; default: - debug(81, 1) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: %s (%d/%d)\n", + debug(83, 1) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: %s (%d/%d)\n", fd, ERR_error_string(ERR_get_error(), NULL), ssl_error, ret); comm_close(fd); return; } /* NOTREACHED */ } - debug(83, 5) ("clientNegotiateSSL: FD %d negotiated cipher %s\n", fd, - SSL_get_cipher(fd_table[fd].ssl)); + if (SSL_session_reused(ssl)) { + debug(83, 2) ("clientNegotiateSSL: Session %p reused on FD %d (%s:%d)\n", SSL_get_session(ssl), fd, fd_table[fd].ipaddr, (int)fd_table[fd].remote_port); + } else { + if (do_debug(83, 4)) { + /* Write out the SSL session details.. actually the call below, but + * OpenSSL headers do strange typecasts confusing GCC.. */ + /* PEM_write_SSL_SESSION(debug_log, SSL_get_session(ssl)); */ + PEM_ASN1_write(i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char *)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL); + /* Note: This does not automatically fflush the log file.. */ + } + debug(83, 2) ("clientNegotiateSSL: New session %p on FD %d (%s:%d)\n", SSL_get_session(ssl), fd, fd_table[fd].ipaddr, (int)fd_table[fd].remote_port); + } + debug(83, 3) ("clientNegotiateSSL: FD %d negotiated cipher %s\n", fd, + SSL_get_cipher(ssl)); - client_cert = SSL_get_peer_certificate(fd_table[fd].ssl); + client_cert = SSL_get_peer_certificate(ssl); if (client_cert != NULL) { - debug(83, 5) ("clientNegotiateSSL: FD %d client certificate: subject: %s\n", fd, + debug(83, 3) ("clientNegotiateSSL: FD %d client certificate: subject: %s\n", fd, X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0)); - debug(83, 5) ("clientNegotiateSSL: FD %d client certificate: issuer: %s\n", fd, + debug(83, 3) ("clientNegotiateSSL: FD %d client certificate: issuer: %s\n", fd, X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0)); X509_free(client_cert); Index: squid/src/ssl_support.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/ssl_support.c,v retrieving revision 1.6.6.1.2.8 retrieving revision 1.6.6.1.2.9 diff -u -r1.6.6.1.2.8 -r1.6.6.1.2.9 --- squid/src/ssl_support.c 18 Apr 2004 00:09:08 -0000 1.6.6.1.2.8 +++ squid/src/ssl_support.c 9 Jun 2004 14:20:03 -0000 1.6.6.1.2.9 @@ -35,12 +35,6 @@ #include "squid.h" -extern int commUnsetNonBlocking(int fd); -extern int commSetNonBlocking(int fd); - -void clientNegotiateSSL(int fd, void *data); -void clientReadSSLRequest(int fd, void *data); - static RSA * ssl_temp_rsa_cb(SSL * ssl, int export, int keylen) {