------------------------------------------------------------
revno: 13710
revision-id: squid3@treenet.co.nz-20150102035512-p8u1l322gyb6wvqs
parent: squid3@treenet.co.nz-20150102034356-275plkr9fc6p56yp
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Thu 2015-01-01 19:55:12 -0800
message:
  Fixed handling of invalid SSL server certificates when splicing connections.
  
  An unpatched Squid in peek-and-splice mode may splice connections after
  receiving a malformed or unsupported SSL server Hello message. This may
  happen even if sslproxy_cert_error tells Squid to honor the error. After
  this change, Squid honors sslproxy_cert_error setting when:
  
  * no server certificate was found and checked using Squid validation procedure
    (e.g., because the SSL server Hello response was malformed or unsupported); or
  * Squid server certificate validation procedure has failed.
  
  If the certificate error is not allowed, Squid terminates the server connection
  and attempts to bump the client connection to deliver the error message to the
  user.
  
  This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150102035512-p8u1l322gyb6wvqs
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 1f4dd3f64480bc7dbf6b5b240ccbfb94adf15760
# timestamp: 2015-01-02 03:56:12 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20150102034356-\
#   275plkr9fc6p56yp
# 
# Begin patch
=== modified file 'src/ssl/PeerConnector.cc'
--- src/ssl/PeerConnector.cc	2015-01-02 02:43:26 +0000
+++ src/ssl/PeerConnector.cc	2015-01-02 03:55:12 +0000
@@ -547,8 +547,8 @@
         // unsupported server Hello message (TODO: make configurable).
 #if 1
         if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) &&
-            SSL_get_peer_certificate(ssl) &&
-            (request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek  || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) {
+                SSL_get_peer_certificate(ssl) &&
+                (request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek  || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) {
             debugs(81, 3, "Error ("  << ERR_error_string(ssl_lib_error, NULL) <<  ") but, hold write on SSL connection on FD " << fd);
             checkForPeekAndSplice();
             return;