On 07/26/2013 03:49 PM, Amos Jeffries wrote: > On 26/07/2013 10:20 p.m., Tsantilas Christos wrote: >> This patch try to detect infinite OpenSSL validation loops. >> >> If OpenSSL is stuck in a validation loop, Squid breaks the loop and >> triggers a new custom SQUID_X509_V_ERR_INFINITE_VALIDATION SSL >> validation error. >> That error cannot be bypassed using sslproxy_cert_error because to break >> the loop Squid has to tell OpenSSL that the certificate is invalid, >> which terminates the SSL connection. >> >> The cause for this patch is the following bug in Openssl (but maybe in >> future other similar problems found): >> http://rt.openssl.org/Ticket/Display.html?id=3090 (login with >> guest/guest) >> >> This is a Measurement Factory project > > Please make the validation counter a fixed-size (uint16/32/64_t) and add > a note where SQUID_CERT_VALIDATION_ITERATION_MAX is defined about what > the absolute upper MAX limit that can be defined for the loop is.
I will use an uint32_t type, and I will add a comment about the maximum value... However it is not important, I do not believe that someone will use a higher number than the already defined number... Actually I believe that any number greater than 100 is not needed here... > > +1. Otherwise fine as far as I can tell. Although I'm not aware enough > about OpenSSL API to fully judge. I will wait for more comments and I will apply it tomorrow. I remember complains in squid-mailing list that squid enters infinity loops. Maybe this is fixes some of these problems... Regards, Christos > Amos >
