[git.ipfire.org] IPFire 2.x development tree branch, next, updated. e01b933cc28814d8650f829712639b4eb0d991e6

[git@ipfire.org]

[-- Attachment #1: Type: text/plain, Size: 5700 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  e01b933cc28814d8650f829712639b4eb0d991e6 (commit)
      from  8057ab15b9efeecf8eca7ad4ebba170f141bd3de (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit e01b933cc28814d8650f829712639b4eb0d991e6
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date:   Sat Feb 11 15:39:26 2017 +0100

    squid 3.5.24: latest patch (14142)
    
    (Fixed: wrong squid version from previous commit)
    
    "Bump SSL client on [more] errors encountered before ssl_bump evaluation"
    
    Best,
    Matthias
    
    Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 lfs/squid                               |  1 +
 src/patches/squid/squid-3.5-14142.patch | 72 +++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)
 create mode 100644 src/patches/squid/squid-3.5-14142.patch

Difference in files:
diff --git a/lfs/squid b/lfs/squid
index 4a8d9d8..6d55751 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14142.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.24-fix-max-file-descriptors.patch
 
 	cd $(DIR_APP) && autoreconf -vfi
diff --git a/src/patches/squid/squid-3.5-14142.patch b/src/patches/squid/squid-3.5-14142.patch
new file mode 100644
index 0000000..8649e27
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14142.patch
@@ -0,0 +1,72 @@
+------------------------------------------------------------
+revno: 14142
+revision-id: squid3(a)treenet.co.nz-20170208054033-pxqn8rs4yu713ijq
+parent: squid3(a)treenet.co.nz-20170128035415-bpwt79jsobv1rqx3
+author: Christos Tsantilas <chtsanti(a)users.sourceforge.net>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Wed 2017-02-08 18:40:33 +1300
+message:
+  Bump SSL client on [more] errors encountered before ssl_bump evaluation
+  
+  ... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
+  http_access deny rule match.
+  
+  The old code allowed ssl_bump step1 rules to be evaluated in the
+  presence of an error. An ssl_bump splicing decision would then trigger
+  the useless "send the error to the client now" processing logic instead
+  of going down the "to serve an error, bump the client first" path.
+  
+  Furthermore, the ssl_bump evaluation result itself could be surprising
+  to the admin because ssl_bump (and most other) rules are not meant to be
+  evaluated for a transaction in an error state. This complicated triage.
+  
+  Also polished an important comment to clarify that we want to bump on
+  error if (and only if) the SslBump feature is applicable to the failed
+  transaction (i.e., if the ssl_bump rules would have been evaluated if
+  there were no prior errors). The old comment could have been
+  misinterpreted that ssl_bump rules must be evaluated to allow an
+  "ssl_bump splice" match to hide the error.
+  
+  This is a Measurement Factory project.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170208054033-pxqn8rs4yu713ijq
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8c3f2a03f86aa1b1484195a63742bc4002ba2359
+# timestamp: 2017-02-08 05:51:15 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170128035415-\
+#   bpwt79jsobv1rqx3
+# 
+# Begin patch
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc	2017-01-23 02:05:46 +0000
++++ src/client_side_request.cc	2017-02-08 05:40:33 +0000
+@@ -1442,6 +1442,13 @@
+         return false;
+     }
+ 
++    if (error) {
++        debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
++        http->sslBumpNeed(Ssl::bumpBump);
++        http->al->ssl.bumpMode = Ssl::bumpBump;
++        return false;
++    }
++
+     // Do not bump during authentication: clients would not proxy-authenticate
+     // if we delay a 407 response and respond with 200 OK to CONNECT.
+     if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
+@@ -1781,8 +1788,9 @@
+     }
+ 
+ #if USE_OPENSSL
+-    // We need to check for SslBump even if the calloutContext->error is set
+-    // because bumping may require delaying the error until after CONNECT.
++    // Even with calloutContext->error, we call sslBumpAccessCheck() to decide
++    // whether SslBump applies to this transaction. If it applies, we will
++    // attempt to bump the client to serve the error.
+     if (!calloutContext->sslBumpCheckDone) {
+         calloutContext->sslBumpCheckDone = true;
+         if (calloutContext->sslBumpAccessCheck())
+


hooks/post-receive
--
IPFire 2.x development tree