------------------------------------------------------------ revno: 13864 revision-id: squid3@treenet.co.nz-20150716071442-v2bt3ipt5xt705gq parent: squid3@treenet.co.nz-20150716070137-l130moshh3wk96eg author: Christos Tsantilas committer: Amos Jeffries branch nick: 3.5 timestamp: Thu 2015-07-16 00:14:42 -0700 message: Errors served using invalid certificates when dealing with SSL server errors. When bumping Squid needs to send an Squid-generated error "page" over a secure connection, Squid needs to generate a certificate for that connection. Prior to these changes, several scenarios could lead to Squid generating a certificate that clients could not validate. In those cases, the user would get a cryptic and misleading browser error instead of a Squid-generated error page with useful details about the problem. For example, is a server certificate that is rejected by the certificate validation helper. Squid no longer uses CN from that certificate to generate a fake certificate. Another example is a user accessing an origin server using one of its "alternative names" and getting a Squid-generated certificate containing just the server common name (CN). These changes make sure that certificate for error pages is generated using SNI (when peeking or staring, if available) or CONNECT host name (including server-first bumping mode). We now update the ConnStateData::sslCommonName field (used as CN field for generated certificates) only _after_ the server certificate is successfully validated. This is a Measurement Factory project. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20150716071442-v2bt3ipt5xt705gq # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # testament_sha1: 3f8645408d29dc2ff45c769f4e9000547d14f43f # timestamp: 2015-07-16 07:16:07 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # base_revision_id: squid3@treenet.co.nz-20150716070137-\ # l130moshh3wk96eg # # Begin patch === modified file 'src/ssl/PeerConnector.cc' --- src/ssl/PeerConnector.cc 2015-06-05 23:22:22 +0000 +++ src/ssl/PeerConnector.cc 2015-07-16 07:14:42 +0000 @@ -274,10 +274,6 @@ serverCertificateHandled = true; - csd->resetSslCommonName(Ssl::CommonHostName(serverCert.get())); - debugs(83, 5, "HTTPS server CN: " << csd->sslCommonName() << - " bumped: " << *serverConnection()); - // remember the server certificate for later use if (Ssl::ServerBump *serverBump = csd->serverBump()) { serverBump->serverCert.reset(serverCert.release()); @@ -285,6 +281,26 @@ } } +void +Ssl::PeerConnector::serverCertificateVerified() +{ + if (ConnStateData *csd = request->clientConnectionManager.valid()) { + Ssl::X509_Pointer serverCert; + if(Ssl::ServerBump *serverBump = csd->serverBump()) + serverCert.resetAndLock(serverBump->serverCert.get()); + else { + const int fd = serverConnection()->fd; + SSL *ssl = fd_table[fd].ssl; + serverCert.reset(SSL_get_peer_certificate(ssl)); + } + if (serverCert.get()) { + csd->resetSslCommonName(Ssl::CommonHostName(serverCert.get())); + debugs(83, 5, "HTTPS server CN: " << csd->sslCommonName() << + " bumped: " << *serverConnection()); + } + } +} + bool Ssl::PeerConnector::sslFinalized() { @@ -338,6 +354,8 @@ return true; } } + + serverCertificateVerified(); return true; } @@ -435,6 +453,7 @@ validatorFailed = true; if (!errDetails && !validatorFailed) { + serverCertificateVerified(); if (splice) switchToTunnel(request.getRaw(), clientConn, serverConn); else === modified file 'src/ssl/PeerConnector.h' --- src/ssl/PeerConnector.h 2015-04-15 11:35:52 +0000 +++ src/ssl/PeerConnector.h 2015-07-16 07:14:42 +0000 @@ -158,6 +158,10 @@ /// if the server certificate was received from the server. void handleServerCertificate(); + /// Runs after the server certificate verified to update client + /// connection manager members + void serverCertificateVerified(); + /// Callback function called when squid receive message from cert validator helper static void sslCrtvdHandleReplyWrapper(void *data, Ssl::CertValidationResponse const &);