PeerConnector.cc
Go to the documentation of this file.
38 Security::PeerConnector::PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout) :
121 const auto err = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scServiceUnavailable, request.getRaw(), al);
131 const auto err = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scGatewayTimeout, request.getRaw(), al);
150 const auto anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw(), al);
182 debugs(83, 3, "will not fetch any missing certificates; suspecting cycle: " << certDownloadNestingLevel() << '/' << MaxNestedDownloads);
246 !(result.errorDetail && result.errorDetail->errorNo() == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY))
249 debugs(83, DBG_IMPORTANT, "ERROR: Squid BUG: Honoring unexpected SSL_connect() failure: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY");
304 if (Security::CertErrors *errs = static_cast<Security::CertErrors *>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors)))
309 AsyncCall::Pointer call = asyncCall(83,5, "Security::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Security::PeerConnector::sslCrtvdHandleReply, nullptr));
318 const auto anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw(), al);
333 Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse)
344 debugs(83, 5, "cert validation result: " << validationResponse->resultCode << RawPointer(" host: ", server));
350 Security::CertErrors *oldErrs = static_cast<Security::CertErrors*>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors));
368 anErr = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scServiceUnavailable, request.getRaw(), al);
384 Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, ErrorDetail::Pointer &errDetails)
406 check->sslErrors = new Security::CertErrors(Security::CertError(i->error_no, i->cert, i->error_depth));
580 const auto anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw(), al);
659 debugs(81, 5, "Certificate downloading status: " << downloadStatus << " certificate size: " << obj.length());
719 auto &callerHandlesMissingCertificates = Ssl::VerifyCallbackParameters::At(sconn).callerHandlesMissingCertificates;
776 const ErrorDetail::Pointer errorDetail = new ErrorDetail(SQUID_TLS_ERR_CONNECT, SSL_ERROR_SSL, 0);
bool CreateClientSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx)
Definition: Session.cc:183
PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout=0)
Definition: PeerConnector.cc:38
Definition: AsyncJob.h:32
AsyncCall::Pointer comm_add_close_handler(int fd, CLCB *handler, void *data)
Definition: comm.cc:921
Definition: CbDataList.h:16
Definition: FilledChecklist.h:33
void appendf(const char *fmt,...) PRINTF_FORMAT_ARG2
Append operation with printf-style arguments.
Definition: Packable.h:61
CbcPointer< Security::PeerConnector > peerConnector_
The Security::PeerConnector object.
Definition: PeerConnector.cc:623
bool missingChainCertificatesUrls(std::queue< SBuf > &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1222
virtual bool initialize(Security::SessionPointer &)
Definition: PeerConnector.cc:138
static std::ostream & Extra(std::ostream &os)
prefixes each grouped debugs() line after the first one in the group
Definition: Stream.h:117
int ssl_ex_index_ssl_errors
EncryptorAnswer & answer()
convenience method to get to the answer fields
Definition: PeerConnector.cc:500
static void NegotiateSsl(int fd, void *data)
A wrapper for Comm::SetSelect() notifications.
Definition: PeerConnector.cc:442
void callBack()
a bail(), sendSuccess() helper: sends results to the initiator
Definition: PeerConnector.cc:561
Definition: EncryptorAnswer.h:22
void commTimeoutHandler(const CommTimeoutCbParams &)
The connection read timeout callback handler.
Definition: PeerConnector.cc:128
void error(char *format,...)
void certDownloadingDone(SBuf &object, int status)
Called by Downloader after a certificate object downloaded.
Definition: PeerConnector.cc:654
int commSetConnTimeout(const Comm::ConnectionPointer &conn, int timeout, AsyncCall::Pointer &callback)
Definition: comm.cc:563
static VerifyCallbackParameters & At(Security::Connection &)
Definition: support.cc:551
PconnPool * fwdPconnPool
a collection of previously used persistent Squid-to-peer HTTP(S) connections
Definition: FwdState.cc:77
unsigned int certDownloadNestingLevel() const
the number of concurrent PeerConnector jobs waiting for us
Definition: PeerConnector.cc:628
virtual CallDialer * getDialer()=0
Definition: CbcPointer.h:26
static VerifyCallbackParameters * New(Security::Connection &)
Definition: support.cc:539
virtual void fillChecklist(ACLFilledChecklist &) const
configure the given checklist (to reflect the current transaction state)
Definition: PeerConnector.cc:92
void detailError(const ErrorDetail::Pointer &dCode)
set error type-specific detail code
Definition: errorpage.h:109
AccessLogEntry::Pointer al
info for the future access.log, and external ACL
Definition: FilledChecklist.h:101
virtual bool canDial(AsyncCall &)
Definition: PeerConnector.cc:620
AsyncCall::Pointer closeHandler
we call this when the connection closed
Definition: PeerConnector.h:207
void recordNegotiationDetails()
Definition: PeerConnector.cc:192
Definition: bio.h:123
Definition: AsyncJobCalls.h:108
const Security::TlsDetails::Pointer & receivedHelloDetails() const
Definition: bio.h:170
static bool Enabled(const int section, const int level)
whether debugging the given section and the given level produces output
Definition: Stream.h:79
void disconnect()
a bail(), sendSuccess() helper: stops monitoring the connection
Definition: PeerConnector.cc:544
Definition: PeerConnector.h:49
void handleMissingCertificates(const Security::IoResult &lastError)
Either initiates fetching of missing certificates or bails with an error.
Definition: PeerConnector.cc:709
Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1196
bool VerifyConnCertificates(Security::Connection &, const Ssl::X509_STACK_Pointer &extraCerts)
Definition: support.cc:441
virtual void dial(AsyncCall &)
Definition: PeerConnector.cc:621
void suspendNegotiation(const Security::IoResult &lastError)
Definition: PeerConnector.cc:754
Definition: MemBuf.h:24
virtual void noteNegotiationError(const Security::ErrorDetailPointer &)
Called when the SSL_connect function aborts with an SSL negotiation error.
Definition: PeerConnector.cc:488
virtual ~PeerConnector()
Callback dialer API to allow PeerConnector to set the answer.
Definition: PeerConnector.h:57
#define CallJobHere(debugSection, debugLevel, job, Class, method)
Definition: AsyncJobCalls.h:58
const char * findIssuerUri(X509 *cert)
finds certificate issuer URI in the Authority Info Access extension
Definition: support.cc:1079
void countFailingConnection()
updates connection usage history before the connection is closed
Definition: PeerConnector.cc:533
const char * dash_str
virtual const char * status() const
internal cleanup; do not call directly
Definition: PeerConnector.cc:588
virtual void syncAle(HttpRequest *adaptedRequest, const char *logUri) const
assigns uninitialized adapted_request and url ALE components
Definition: FilledChecklist.cc:131
Security::CertErrors * sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, ErrorDetailPointer &)
Check SSL errors returned from cert validator against sslproxy_cert_error access list.
Definition: PeerConnector.cc:384
Definition: CommCalls.h:181
void negotiateSsl()
Comm::SetSelect() callback. Direct calls tickle/resume negotiations.
Definition: PeerConnector.cc:452
CBDATA_NAMESPACED_CLASS_INIT(Security, PeerConnector)
Definition: Downloader.h:31
#define JobCallback(dbgSection, dbgLevel, Dialer, job, method)
Convenience macro to create a Dialer-based job callback.
Definition: AsyncJobCalls.h:69
int commUnsetConnTimeout(const Comm::ConnectionPointer &conn)
Definition: comm.cc:589
CbDataList< Security::CertError > CertErrors
Holds a list of X.509 certificate errors.
Definition: forward.h:68
int ssl_ex_index_server
void handleNegotiationResult(const Security::IoResult &)
Called after each negotiation step to handle the result.
Definition: PeerConnector.cc:258
PeerConnectorCertDownloaderDialer(Method method, Security::PeerConnector *pc)
Definition: PeerConnector.cc:615
void SetSelect(int, unsigned int, PF *, void *, time_t)
Mark an FD to be watched for its IO status.
Definition: ModDevPoll.cc:223
static ErrorState * NewForwarding(err_type, HttpRequestPointer &, const AccessLogEntryPointer &)
Creates a general request forwarding error with the right http_status.
Definition: errorpage.cc:675
int ssl_ex_index_cert_error_check
void resumeNegotiation()
Resumes TLS negotiation paused by suspendNegotiation()
Definition: PeerConnector.cc:764
IoResult Connect(Comm::Connection &transport)
establish a TLS connection over the specified from-Squid transport connection
Definition: Io.cc:212
CallDialer to allow use Downloader objects within PeerConnector class.
Definition: PeerConnector.cc:611
struct SquidConfig::@121 ssl_client
AsyncCall * asyncCall(int aDebugSection, int aDebugLevel, const char *aName, const Dialer &aDialer)
Definition: AsyncCall.h:154
Definition: CommCalls.h:139
static void Submit(Ssl::CertValidationRequest const &request, AsyncCall::Pointer &)
Submit crtd request message to external crtd server.
Definition: helper.cc:301
Definition: CommCalls.h:133
void commCloseHandler(const CommCloseCbParams ¶ms)
The comm_close callback handler.
Definition: PeerConnector.cc:110
time_t MortalReadTimeout(const time_t startTime, const time_t lifetimeLimit)
maximum read delay for readers with limited lifetime
Definition: Read.cc:248
void sslCrtvdHandleReply(Ssl::CertValidationResponsePointer)
Process response from cert validator helper.
Definition: PeerConnector.cc:333
bool callerHandlesMissingCertificates
Definition: support.h:356
Definition: errorpage.h:87
Definition: CertError.h:20
bool computeMissingCertificateUrls(const Connection &)
finds URLs of (some) missing intermediate certificates or returns false
Definition: PeerConnector.cc:735
RawPointerT< Pointer > RawPointer(const char *label, const Pointer &ptr)
convenience wrapper for creating RawPointerT<> objects
Definition: IoManip.h:36
virtual void start()
Preps connection and SSL state. Calls negotiate().
Definition: PeerConnector.cc:71
Definition: AsyncCall.h:40
void resetWithoutLocking(T *t)
Reset raw pointer - unlock any previous one and save new one without locking.
Definition: LockingPointer.h:111
void comm_remove_close_handler(int fd, CLCB *handler, void *data)
Definition: comm.cc:950
ErrorDetail::Pointer MakeNamedErrorDetail(const char *name)
Definition: Detail.cc:54
void startCertDownloading(SBuf &url)
Start downloading procedure for the given URL.
Definition: PeerConnector.cc:641