176
175
bool useCertValidator_; ///< whether the certificate validator should bypassed
179
/// A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities.
180
class BlindPeerConnector: public PeerConnector {
181
CBDATA_CLASS(BlindPeerConnector);
183
BlindPeerConnector(HttpRequestPointer &aRequest,
184
const Comm::ConnectionPointer &aServerConn,
185
AsyncCall::Pointer &aCallback, const time_t timeout = 0) :
186
AsyncJob("Ssl::BlindPeerConnector"),
187
PeerConnector(aServerConn, aCallback, timeout)
192
/* PeerConnector API */
194
/// Calls parent initializeSSL, configure the created SSL object to try reuse SSL session
195
/// and sets the hostname to use for certificates validation
196
virtual Security::SessionPtr initializeSsl();
198
/// Return the configured Security::ContextPtr object
199
virtual Security::ContextPtr getSslContext();
201
/// On error calls peerConnectFailed function, on success store the used SSL session
203
virtual void noteNegotiationDone(ErrorState *error);
206
/// A PeerConnector for HTTP origin servers. Capable of SslBumping.
207
class PeekingPeerConnector: public PeerConnector {
208
CBDATA_CLASS(PeekingPeerConnector);
210
PeekingPeerConnector(HttpRequestPointer &aRequest,
211
const Comm::ConnectionPointer &aServerConn,
212
const Comm::ConnectionPointer &aClientConn,
213
AsyncCall::Pointer &aCallback, const time_t timeout = 0) :
214
AsyncJob("Ssl::PeekingPeerConnector"),
215
PeerConnector(aServerConn, aCallback, timeout),
216
clientConn(aClientConn),
218
resumingSession(false),
219
serverCertificateHandled(false)
224
/* PeerConnector API */
225
virtual Security::SessionPtr initializeSsl();
226
virtual Security::ContextPtr getSslContext();
227
virtual void noteWantWrite();
228
virtual void noteSslNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
229
virtual void noteNegotiationDone(ErrorState *error);
231
/// Updates associated client connection manager members
232
/// if the server certificate was received from the server.
233
void handleServerCertificate();
235
/// Initiates the ssl_bump acl check in step3 SSL bump step to decide
236
/// about bumping, splicing or terminating the connection.
237
void checkForPeekAndSplice();
239
/// Callback function for ssl_bump acl check in step3 SSL bump step.
240
void checkForPeekAndSpliceDone(allow_t answer);
242
/// Handles the final bumping decision.
243
void checkForPeekAndSpliceMatched(const Ssl::BumpMode finalMode);
245
/// Guesses the final bumping decision when no ssl_bump rules match.
246
Ssl::BumpMode checkForPeekAndSpliceGuess() const;
248
/// Runs after the server certificate verified to update client
249
/// connection manager members
250
void serverCertificateVerified();
252
/// A wrapper function for checkForPeekAndSpliceDone for use with acl
253
static void cbCheckForPeekAndSpliceDone(allow_t answer, void *data);
256
Comm::ConnectionPointer clientConn; ///< TCP connection to the client
257
AsyncCall::Pointer callback; ///< we call this with the results
258
AsyncCall::Pointer closeHandler; ///< we call this when the connection closed
259
bool splice; ///< whether we are going to splice or not
260
bool resumingSession; ///< whether it is an SSL resuming session connection
261
bool serverCertificateHandled; ///< whether handleServerCertificate() succeeded
264
178
} // namespace Ssl
266
#endif /* SQUID_PEER_CONNECTOR_H */
180
#endif /* USE_OPENSSL */
181
#endif /* SQUID_SRC_SSL_PEERCONNECTOR_H */