|
| 1 | +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
| 2 | +<HTML> |
| 3 | + <HEAD> |
| 4 | + <TITLE> [squid-dev] forward bumped traffic to parent in plain form |
| 5 | + </TITLE> |
| 6 | + <LINK REL="Index" HREF="index.html" > |
| 7 | + <LINK REL="made" HREF="mailto:squid-dev%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-dev%5D%20forward%20bumped%20traffic%20to%20parent%20in%20plain%20form&In-Reply-To=%3C532105899.20260407175513%40yahoo.com%3E"> |
| 8 | + <META NAME="robots" CONTENT="index,nofollow"> |
| 9 | + <style type="text/css"> |
| 10 | + pre { |
| 11 | + white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ |
| 12 | + } |
| 13 | + </style> |
| 14 | + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> |
| 15 | + <LINK REL="Previous" HREF="010003.html"> |
| 16 | + |
| 17 | + </HEAD> |
| 18 | + <BODY BGCOLOR="#ffffff"> |
| 19 | + <H1>[squid-dev] forward bumped traffic to parent in plain form</H1> |
| 20 | + <B>Anthony Pankov</B> |
| 21 | + <A HREF="mailto:squid-dev%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-dev%5D%20forward%20bumped%20traffic%20to%20parent%20in%20plain%20form&In-Reply-To=%3C532105899.20260407175513%40yahoo.com%3E" |
| 22 | + TITLE="[squid-dev] forward bumped traffic to parent in plain form">anthony.pankov at yahoo.com |
| 23 | + </A><BR> |
| 24 | + <I>Tue Apr 7 14:55:13 UTC 2026</I> |
| 25 | + <P><UL> |
| 26 | + <LI>Previous message (by thread): <A HREF="010003.html">[squid-dev] forward bumped traffic to parent in plain form |
| 27 | +</A></li> |
| 28 | + |
| 29 | + <LI> <B>Messages sorted by:</B> |
| 30 | + <a href="date.html#10005">[ date ]</a> |
| 31 | + <a href="thread.html#10005">[ thread ]</a> |
| 32 | + <a href="subject.html#10005">[ subject ]</a> |
| 33 | + <a href="author.html#10005">[ author ]</a> |
| 34 | + </LI> |
| 35 | + </UL> |
| 36 | + <HR> |
| 37 | +<!--beginarticle--> |
| 38 | +<PRE> |
| 39 | +Friday, April 3, 2026, 6:47:26 PM, you wrote: |
| 40 | + |
| 41 | +><i> On 2026-04-03 07:20, Anthony Pankov wrote: |
| 42 | +</I>>><i> > I've tried to call getSslContextStart() in startPeakAndSplice(). |
| 43 | +</I>>><i> > But the problem is: |
| 44 | +</I>>><i> getSslContextStart() return synchronously in most cases after calling getSslContextDone(). |
| 45 | +</I>>><i> > But in the case of #if USE_SSL_CRTD (my case) it return after sending request to CRTD without calling getSslContextDone(). |
| 46 | +</I>>><i> getSslContextDone() will be called further in sslCrtdHandleReplyWrapper(). |
| 47 | +</I>>><i> > So we are back in startPeakAndSplice() without getSslContextDone() and connections are closed. |
| 48 | +</I>>><i> > Is there a preferred way to solve this problem? |
| 49 | +</I> |
| 50 | +><i> AFAICT, in your case, startPeekAndSplice() should do nothing when the added getSslContextStart() call returns. From <A HREF="https://ml-archives.squid-cache.org/squid-dev/2026-March/009992.html">https://ml-archives.squid-cache.org/squid-dev/2026-March/009992.html</A> : getSslContextStart() should eventually trigger a call to getSslContextDone() with a non-nil Security::ContextPointer that calls httpsCreate() with the transaction-specific security context (SNI, etc.). |
| 51 | +</I> |
| 52 | +There are conditional-branch inside getSslContextStart(): |
| 53 | +... |
| 54 | + |
| 55 | +if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) { |
| 56 | + %branch A% |
| 57 | + ... |
| 58 | + Ssl::configureUnconfiguredSslContext(ctx, certProperties.signAlgorithm, *port); |
| 59 | + } else { |
| 60 | + %branch B% |
| 61 | +... |
| 62 | + getSslContextDone(dynCtx); |
| 63 | + } |
| 64 | + |
| 65 | +If I understand correctly branch B must be choosen for my case. |
| 66 | + |
| 67 | +But my configuration (as discussed previously) is: |
| 68 | +ssl_bump stare ssl_bump_step_1 |
| 69 | +ssl_bump bump all |
| 70 | + |
| 71 | +So the condition inside getSslContextStart() is true and the branchA is choosen. The sslServerBump is always true because: |
| 72 | +void |
| 73 | +ConnStateData::startPeekAndSplice() |
| 74 | +{ |
| 75 | + // This is the Step2 of the SSL bumping |
| 76 | + assert(sslServerBump); |
| 77 | +... |
| 78 | + |
| 79 | +Do anybody have any idea about what case is behind this: |
| 80 | +if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) { |
| 81 | + |
| 82 | + |
| 83 | +P.S. I don't find any logic related to step3 also . |
| 84 | + |
| 85 | +-- |
| 86 | +Best regards, |
| 87 | +Anthony |
| 88 | + |
| 89 | +</PRE> |
| 90 | + |
| 91 | +<!--endarticle--> |
| 92 | + <HR> |
| 93 | + <P><UL> |
| 94 | + <!--threads--> |
| 95 | + <LI>Previous message (by thread): <A HREF="010003.html">[squid-dev] forward bumped traffic to parent in plain form |
| 96 | +</A></li> |
| 97 | + |
| 98 | + <LI> <B>Messages sorted by:</B> |
| 99 | + <a href="date.html#10005">[ date ]</a> |
| 100 | + <a href="thread.html#10005">[ thread ]</a> |
| 101 | + <a href="subject.html#10005">[ subject ]</a> |
| 102 | + <a href="author.html#10005">[ author ]</a> |
| 103 | + </LI> |
| 104 | + </UL> |
| 105 | + |
| 106 | +<hr> |
| 107 | +<a href="https://lists.squid-cache.org/listinfo/squid-dev">More information about the squid-dev |
| 108 | +mailing list</a><br> |
| 109 | +</body></html> |
0 commit comments