On 07/26/2013 03:49 PM, Amos Jeffries wrote:
> On 26/07/2013 10:20 p.m., Tsantilas Christos wrote:
>> This patch try to detect infinite OpenSSL validation loops.
>>
>> If OpenSSL is stuck in a validation loop, Squid breaks the loop and
>> triggers a new custom SQUID_X509_V_ERR_INFINITE_VALIDATION SSL
>> validation error.
>> That error cannot be bypassed using sslproxy_cert_error because to break
>> the loop Squid has to tell OpenSSL that the certificate is invalid,
>> which terminates the SSL connection.
>>
>> The cause for this patch is the following bug in Openssl (but maybe in
>> future other similar problems found):
>> http://rt.openssl.org/Ticket/Display.html?id=3090 (login with
>> guest/guest)
>>
>> This is a Measurement Factory project
>
> Please make the validation counter a fixed-size (uint16/32/64_t) and add
> a note where SQUID_CERT_VALIDATION_ITERATION_MAX is defined about what
> the absolute upper MAX limit that can be defined for the loop is.
I will use an uint32_t type, and I will add a comment about the maximum
value...
However it is not important, I do not believe that someone will use a
higher number than the already defined number...
Actually I believe that any number greater than 100 is not needed here...
>
> +1. Otherwise fine as far as I can tell. Although I'm not aware enough
> about OpenSSL API to fully judge.
I will wait for more comments and I will apply it tomorrow. I remember
complains in squid-mailing list that squid enters infinity loops. Maybe
this is fixes some of these problems...
Regards,
Christos
> Amos
>
Received on Fri Jul 26 2013 - 15:31:06 MDT
This archive was generated by hypermail 2.2.0 : Sat Jul 27 2013 - 12:00:50 MDT