lp://staging/~measurement-factory/squid/bag10s

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

13880. By Christos Tsantilas on 2017-06-29

Try fixing compile problems after r13879

13879. By Christos Tsantilas on 2017-06-28

Collapse security_file_certgen requests.

Concurrent identical same-worker security_file_certgen (a.k.a. ssl_crtd)
requests are collapsed: The first such request goes through to one of
the helpers while others wait for that first request to complete,
successfully or otherwise. This optimization helps dealing with flash
crowds that suddenly send a large number of HTTPS requests to a small
group of origin servers.

Two certificate generation requests are considered identical if their
on-the-wire images are identical. This simple and fast approach covers
all certificate generation parameters, including all mimicked
certificate properties, and avoids hash collisions and poisoning.
Compared to collision- or poisoning-sensitive approaches that store raw
certificates and compare their signatures or fingerprints, storing
helper queries costs a few extra KB per pending helper request. That
extra RAM cost is worth the advantages and will be eliminated when
helper code switches from c-strings to SBufs.

This is a Measurement Factory project.

13878. By Christos Tsantilas on 2017-06-28

Rebase to squid-3.5.26 (r14168)

Major patches not already included in bag10s:
  r14144: Fix crash when configuring with invalid delay_parameters restore
          value
  r14145: Fix missing CRLF on FTP timeout ABORT commands
  r14149: Bug 4508: Host forgery stalls intercepted being-spliced connections.
  r14157: Bug 4589: ssl_crtd: returning zero on failure
  r14158: Bug 3102: FTP directory listing drops fist character of file names
  r14159: Bug 3772: message from FTP server gets mangled
  r14161: Bug 4682: ignoring http_access deny when client-first bumping modei
          is used

13877. By Alex Rousskov on 2017-06-04

Do not die silently when dying via std::terminate(). Require C++11.

C++11 is now mandatory on this branch because the new exception
reporting code requires C++11.

Based on v5 r15171 with "Terminal errors should throw" top-level
exception handling logic from v5 r15148.

13876. By Christos Tsantilas on 2017-05-26

Bug 4653 - %st lies about tunneled traffic volumes

Squid-3.5 counts only the "CONNECT ..." header size for %>st and does not
count the "HTTP/1.1 200" response header for the %<st.

This is a Measurement Factory project

similar to squid5.r15142 and squid4.r15037

13875. By Christos Tsantilas on 2017-05-05

bug 4711: SubjectAlternativeNames is missing in some generated certificates

Squid may generate certificates which have a Common Name, but do not have
a subjectAltName extension. For example when squid generated certificates
do not mimic an origin certificate or when the certificate adaptation
algorithm sslproxy_cert_adapt/setCommonName is used.

This is causes problems to some browsers, which validates a certificate using
the SubjectAlternativeNames but ignore the CommonName field.

This patch fixes squid to always add a SubjectAlternativeNames extension in
generated certificates which do not mimic an origin certificate.

Squid still will not add a subjectAltName extension when mimicking an origin
server certificate, even if that origin server certificate does not include
the subjectAltName extension. Such origin server may have problems when
talking directly to browsers, and patched Squid is not trying to fix those
problems.

This is a Measurement Factory project

Similar to squid-5.r15131

13874. By Christos Tsantilas on 2017-02-21

Fix r13872: Bump SSL client on [more] errors encountered before ssl_bump evaluation

The r13872 patch broke CONNECT authentication. The bug caused by a misplaced
block of code while porting the patch from squid-5 to squid-3.5.

13873. By Christos Tsantilas on 2017-02-07

Rebase to squid-3.5.24 (r14141)
  Major patches not already included in bag10s:
  r14139: SSLv2 records force SslBump bumping despite a matching step2 peek rule
  r14138: Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation
  r14137: Detect HTTP header ACL issues

13872. By Christos Tsantilas on 2017-02-07

Bump SSL client on [more] errors encountered before ssl_bump evaluation

... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
http_access deny rule match.

The old code allowed ssl_bump step1 rules to be evaluated in the
presence of an error. An ssl_bump splicing decision would then trigger
the useless "send the error to the client now" processing logic instead
of going down the "to serve an error, bump the client first" path.

Furthermore, the ssl_bump evaluation result itself could be surprising
to the admin because ssl_bump (and most other) rules are not meant to be
evaluated for a transaction in an error state. This complicated triage.

Also polished an important comment to clarify that we want to bump on
error if (and only if) the SslBump feature is applicable to the failed
transaction (i.e., if the ssl_bump rules would have been evaluated if
there were no prior errors). The old comment could have been
misinterpreted that ssl_bump rules must be evaluated to allow an
"ssl_bump splice" match to hide the error.

This is a Measurement Factory project.

13871. By Christos Tsantilas on 2017-01-25

External ACL helpers error handling & caching

The helper protocol for external ACLs [1] defines three possible return values:
   OK - Success. ACL test matches.
   ERR - Success. ACL test fails to match.
   BH - Failure. The helper encountered a problem.

The external acl helpers distributed with squid currently doesn't follow this
definition. For example, upon connection error, ERR is returned:

   $ ext_ldap_group_acl ... -d
   ext_ldap_group_acl: WARNING: could not bind to binddn 'Can't contact LDAP server'
   ERR

 This is does not allow to distinguish "no match" and "error" either and
therefore negative caches "ERR", also in the case of an error.

Moreover there are multiple problems inside squid when trying to handle BH
responses:
  - Squid-5 and squid-4 retries requests for BH responses but crashes after the
    maximum retry number (currently 2) is reached.
  - If an external acl helper return always BH (eg because the LDAP server is
    down) squid sends infinitely new request to the helper.

This is a Measurement Factory project

Similar to squid-5 r15005