------------------------------------------------------------ revno: 12517 revision-id: squid3@treenet.co.nz-20130314113219-4u5jfhab1odnh56r parent: squid3@treenet.co.nz-20130312101657-okwdw0tdl5km1rgc committer: Amos Jeffries branch nick: 3.3 timestamp: Thu 2013-03-14 05:32:19 -0600 message: Fix SSL Bump bypass for intercepted traffic The SSL-bump bypass code on intercepted HTTPS traffic generates a fake CONNECT request from the original destination IP:port in an attempt to trigger a TCP tunnel being opened for the un-bumped data to be transferred over. The current implementation breaks in two situations: 1) when IPv6 traffic is intercepted The URL field generated does not account for the additional [] requirements involved when IPv6+port are combined. The resulting fake requests look like: CONNECT ::1:443 HTTP/1.1 Host: ::1 ... which are both invalid, and will fail to parse. Breaking IPv6 HTTPS interception bypass. Resolve this by using Ip::Address::ToURL() function which was created for the purpose of generating URL hostnames from raw-IP + port with the bracketing inserted when required. 2) when a non-443 port is being intercepted The Host: header generated is missing the port and Squid Host: header validity will reject the outbound CONNECT 127.0.0.1:8443 HTTP/1.1 Host: 127.0.0.1 ... this is an invalid request. Squid is currently ignoring the Host header. However Squid tunnel.cc does make use of peering and may relay the fake request Host: to upstream peers where we cannot be so sure what will happen. Resolve this issue by re-using the generated IP:port string for both URL and Host: fields, which preserves teh port in Host: regardless of value. This also means there is an unnecessary :443 tagged on for most HTTPS traffic, however the omission of port from the Host: header is only a MAY and this should not cause any issues. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20130314113219-4u5jfhab1odnh56r # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: 71bbb9442ec911239a54f40f6ca6f12da072b4ac # timestamp: 2013-03-14 11:33:19 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20130312101657-\ # okwdw0tdl5km1rgc # # Begin patch === modified file 'src/client_side.cc' --- src/client_side.cc 2013-01-28 04:11:25 +0000 +++ src/client_side.cc 2013-03-14 11:32:19 +0000 @@ -3618,8 +3618,8 @@ // fake a CONNECT request to force connState to tunnel static char ip[MAX_IPSTRLEN]; static char reqStr[MAX_IPSTRLEN + 80]; - connState->clientConnection->local.NtoA(ip, sizeof(ip)); - snprintf(reqStr, sizeof(reqStr), "CONNECT %s:%d HTTP/1.1\r\nHost: %s\r\n\r\n", ip, connState->clientConnection->local.GetPort(), ip); + connState->clientConnection->local.ToURL(ip, sizeof(ip)); + snprintf(reqStr, sizeof(reqStr), "CONNECT %s HTTP/1.1\r\nHost: %s\r\n\r\n", ip, ip); bool ret = connState->handleReadData(reqStr, strlen(reqStr)); if (ret) ret = connState->clientParseRequests();