On 27/07/2013 3:30 a.m., Tsantilas Christos wrote:
> On 07/26/2013 03:49 PM, Amos Jeffries wrote:
>> On 26/07/2013 10:20 p.m., Tsantilas Christos wrote:
>>> This patch try to detect infinite OpenSSL validation loops.
>>>
>>> If OpenSSL is stuck in a validation loop, Squid breaks the loop and
>>> triggers a new custom SQUID_X509_V_ERR_INFINITE_VALIDATION SSL
>>> validation error.
>>> That error cannot be bypassed using sslproxy_cert_error because to break
>>> the loop Squid has to tell OpenSSL that the certificate is invalid,
>>> which terminates the SSL connection.
>>>
>>> The cause for this patch is the following bug in Openssl (but maybe in
>>> future other similar problems found):
>>> http://rt.openssl.org/Ticket/Display.html?id=3090 (login with
>>> guest/guest)
>>>
>>> This is a Measurement Factory project
>> Please make the validation counter a fixed-size (uint16/32/64_t) and add
>> a note where SQUID_CERT_VALIDATION_ITERATION_MAX is defined about what
>> the absolute upper MAX limit that can be defined for the loop is.
> I will use an uint32_t type, and I will add a comment about the maximum
> value...
> However it is not important, I do not believe that someone will use a
> higher number than the already defined number...
> Actually I believe that any number greater than 100 is not needed here...
Yes quite probably. I'm just wanting to ensure that there is a
consistent upper limit here across all Squid builds and installations,
and assuming int is >32-bit on Hurd machines can be a mistake.
The default value should be whatever seems reasonable to you. We don't
want it to take too long to find errors, but also cope with even the
longest expected chains.
>
>> +1. Otherwise fine as far as I can tell. Although I'm not aware enough
>> about OpenSSL API to fully judge.
> I will wait for more comments and I will apply it tomorrow. I remember
> complains in squid-mailing list that squid enters infinity loops. Maybe
> this is fixes some of these problems...
Ok.
PS. If you can find some of the complainers it would be worth sending
them a mail about the proposed patch. But don't stress yourself over that.
Amos
Received on Sat Jul 27 2013 - 02:06:39 MDT
This archive was generated by hypermail 2.2.0 : Sat Jul 27 2013 - 12:00:50 MDT