Re: [squid-dev] Hello and ssl_bump and External ACLs - 4.0.2

Tue, 24 Nov 2015 02:21:56 -0800

I am attaching a small (not well tested) patch, which fixed a similar problem for me, in the case someone want to test it. 

Amos,
should we try to retrieve ALE object from HttpRequest->clientConnectionManager->getCurrentContext()->http->al, or other sources, inside ACLFilledChecklist::syncAle(), if it is not set? 



On 11/24/2015 07:44 AM, Amos Jeffries wrote:

On 24/11/2015 1:16 a.m., Dave Lewthwaite wrote:

Hi,

I’ve finally found time to join the dev mailing list, I work with squid on a 
daily basis and we’re always needing the latest features which often causes to 
use beta’s and nightlies rather than final releases. At the moment I’m having 
an issue with SSL peek and splice with external ACLs.

I'm using Squid 4.0.2 compiled for CentOS 7 and i'm having issues with the SSL 
peek and splice configuration that previously worked in 3.5.11 with no 
problems. (The reason to update is to get eliptic curve cipher support).

Relavent config

external_acl_type extallowedSslUsers children-startup=1 children-max=40 ttl=0 
negative_ttl=0 %MYPORT %SRC %{X-Proxy-Port}>h %{User-Agent}>h %DST %ssl::>sni 
/etc/squid/acl/aclSSLInterceptUsers.php
acl allowedSslUsers external extallowedSslUsers

acl DiscoverSNIHost at_step SslBump1

ssl_bump stare DiscoverSNIHost all
ssl_bump bump allowedSslUsers
ssl_bump splice all

In this configuration when using a normal proxy port or transparent port, the 
external ACL is never evaluated - it logs

WARNING: allowedSslUsers ACL is used in context without an ALE state. Assuming 
mismatch.

Changing DiscoverSNIHost to be SslBump2 causes the external acl to be evaluated 
for normal proxy port (but SNI is not populated) but still not for transparent 
proxy.

The aim is to retrieve the SNI sent by the client to use in both logging and 
the external ACL.

Swapping stare for peek gives the same behaviour. As far as I can tell, if the 
system hits this point (without an ALE state) it will skip the ACL check and 
return false – obviously that’s a problem – I’ve also tried stripping out 
parameters from the external acl to no avail.

Is this a bug or a mis-configuration?


It is one of the effects of the external_acl_type format changes.

Is that message occuring on bumped CONNECT messages on an http_port, or
on an https_port?

And are you able to get an ALL,9 cache.log trace from a test request please?

Amos


=== modified file 'src/ssl/PeerConnector.cc'
--- src/ssl/PeerConnector.cc	2015-09-23 18:11:57 +0000
+++ src/ssl/PeerConnector.cc	2015-11-13 11:48:49 +0000
@@ -1,35 +1,36 @@
 /*
  * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
  *
  * Squid software is distributed under GPLv2+ license and includes
  * contributions from numerous individuals and organizations.
  * Please see the COPYING and CONTRIBUTORS files for details.
  */
 
 /* DEBUG: section 17    Request Forwarding */
 
 #include "squid.h"
 #include "acl/FilledChecklist.h"
 #include "base/AsyncCbdataCalls.h"
 #include "CachePeer.h"
 #include "client_side.h"
+#include "client_side_request.h"
 #include "comm/Loops.h"
 #include "errorpage.h"
 #include "fde.h"
 #include "globals.h"
 #include "helper/ResultCode.h"
 #include "HttpRequest.h"
 #include "neighbors.h"
 #include "SquidConfig.h"
 #include "ssl/bio.h"
 #include "ssl/cert_validate_message.h"
 #include "ssl/Config.h"
 #include "ssl/ErrorDetail.h"
 #include "ssl/helper.h"
 #include "ssl/PeerConnector.h"
 #include "ssl/ServerBump.h"
 #include "ssl/support.h"
 
 CBDATA_NAMESPACED_CLASS_INIT(Ssl, PeerConnector);
 CBDATA_NAMESPACED_CLASS_INIT(Ssl, BlindPeerConnector);
 CBDATA_NAMESPACED_CLASS_INIT(Ssl, PeekingPeerConnector);
@@ -224,40 +225,42 @@
                                       static_cast<Ssl::BumpMode>(answer.kind):
                                       checkForPeekAndSpliceGuess();
     checkForPeekAndSpliceMatched(finalAction);
 }
 
 void
 Ssl::PeekingPeerConnector::checkForPeekAndSplice()
 {
     // Mark Step3 of bumping
     if (request->clientConnectionManager.valid()) {
         if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) {
             serverBump->step = Ssl::bumpStep3;
         }
     }
 
     handleServerCertificate();
 
     ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(
         ::Config.accessList.ssl_bump,
         request.getRaw(), NULL);
+    if (request->clientConnectionManager.valid() && request->clientConnectionManager->getCurrentContext() != NULL && request->clientConnectionManager->getCurrentContext()->http != NULL)
+        acl_checklist->al = request->clientConnectionManager->getCurrentContext()->http->al;
     acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpNone));
     acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpPeek));
     acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpStare));
     acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpClientFirst));
     acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpServerFirst));
     SSL *ssl = fd_table[serverConn->fd].ssl;
     BIO *b = SSL_get_rbio(ssl);
     Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
     if (!srvBio->canSplice())
         acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpSplice));
     if (!srvBio->canBump())
         acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpBump));
     acl_checklist->nonBlockingCheck(Ssl::PeekingPeerConnector::cbCheckForPeekAndSpliceDone, this);
 }
 
 void
 Ssl::PeekingPeerConnector::checkForPeekAndSpliceMatched(const Ssl::BumpMode action)
 {
     SSL *ssl = fd_table[serverConn->fd].ssl;
     BIO *b = SSL_get_rbio(ssl);

=== modified file 'src/tunnel.cc'
--- src/tunnel.cc	2015-11-07 12:08:33 +0000
+++ src/tunnel.cc	2015-11-13 11:36:21 +0000
@@ -1218,40 +1218,41 @@
     debugs(26, 3, request->method << " " << url << " " << request->http_ver);
     ++statCounter.server.all.requests;
     ++statCounter.server.other.requests;
 
     tunnelState = new TunnelStateData;
     tunnelState->url = SBufToCstring(url);
     tunnelState->request = request;
     tunnelState->server.size_ptr = NULL; //Set later if ClientSocketContext is available
 
     // Temporary static variable to store the unneeded for our case status code
     static int status_code = 0;
     tunnelState->status_ptr = &status_code;
     tunnelState->client.conn = clientConn;
 
     ConnStateData *conn;
     if ((conn = request->clientConnectionManager.get())) {
         ClientSocketContext::Pointer context = conn->getCurrentContext();
         if (context != NULL && context->http != NULL) {
             tunnelState->logTag_ptr = &context->http->logType;
             tunnelState->server.size_ptr = &context->http->out.size;
+            tunnelState->al = context->http->al;
 
 #if USE_DELAY_POOLS
             /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */
             if (srvConn->getPeer() && srvConn->getPeer()->options.no_delay)
                 tunnelState->server.setDelayId(DelayId::DelayClient(context->http));
 #endif
         }
     }
 
     comm_add_close_handler(tunnelState->client.conn->fd,
                            tunnelClientClosed,
                            tunnelState);
 
     AsyncCall::Pointer timeoutCall = commCbCall(5, 4, "tunnelTimeout",
                                      CommTimeoutCbPtrFun(tunnelTimeout, tunnelState));
     commSetConnTimeout(tunnelState->client.conn, Config.Timeout.lifetime, timeoutCall);
     fd_table[clientConn->fd].read_method = &default_read_method;
     fd_table[clientConn->fd].write_method = &default_write_method;
 
     tunnelState->request->hier.note(srvConn, tunnelState->getHost());


_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev






















					Reply via email to