A PeerConnector for HTTP origin servers. Capable of SslBumping. More...

#include <PeekingPeerConnector.h>

Inheritance diagram for Ssl::PeekingPeerConnector:
Collaboration diagram for Ssl::PeekingPeerConnector:

Public Types

typedef CbcPointer< PeerConnectorPointer

Public Member Functions

 PeekingPeerConnector (HttpRequestPointer &aRequest, const Comm::ConnectionPointer &aServerConn, const Comm::ConnectionPointer &aClientConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout=0)
virtual bool initialize (Security::SessionPointer &)
virtual Security::ContextPointer getTlsContext ()
virtual void noteWantWrite ()
virtual void noteNegotiationError (const Security::ErrorDetailPointer &)
 Called when the SSL_connect function aborts with an SSL negotiation error. More...
virtual void noteNegotiationDone (ErrorState *error)
void handleServerCertificate ()
void checkForPeekAndSplice ()
void checkForPeekAndSpliceDone (Acl::Answer answer)
 Callback function for ssl_bump acl check in step3 SSL bump step. More...
void checkForPeekAndSpliceMatched (const Ssl::BumpMode finalMode)
 Handles the final bumping decision. More...
Ssl::BumpMode checkForPeekAndSpliceGuess () const
 Guesses the final bumping decision when no ssl_bump rules match. More...
void serverCertificateVerified ()
void startTunneling ()
 Abruptly stops TLS negotiation and starts tunneling. More...
bool canBeCalled (AsyncCall &call) const
 whether we can be called More...
void callStart (AsyncCall &call)
virtual void callEnd ()
 called right after the called job method More...
virtual void callException (const std::exception &e)
 called when the job throws during an async call More...
virtual void * toCbdata ()=0

Static Public Member Functions

static void cbCheckForPeekAndSpliceDone (Acl::Answer answer, void *data)
 A wrapper function for checkForPeekAndSpliceDone for use with acl. More...
static Pointer Start (AsyncJob *job)
 starts a freshly created job (i.e., makes the job asynchronous) More...

Public Attributes

bool noteFwdPconnUse
 hack: whether the connection requires fwdPconnPool->noteUses() More...

Protected Member Functions

virtual void start ()
 Preps connection and SSL state. Calls negotiate(). More...
virtual bool doneAll () const
 whether positive goal has been reached More...
virtual void swanSong ()
virtual const char * status () const
 internal cleanup; do not call directly More...
void commTimeoutHandler (const CommTimeoutCbParams &)
 The connection read timeout callback handler. More...
void commCloseHandler (const CommCloseCbParams &params)
 The comm_close callback handler. More...
void negotiate ()
bool sslFinalized ()
void handleNegotiateError (const int result)
void noteWantRead ()
bool checkForMissingCertificates ()
void startCertDownloading (SBuf &url)
 Start downloading procedure for the given URL. More...
void certDownloadingDone (SBuf &object, int status)
 Called by Downloader after a certificate object downloaded. More...
Comm::ConnectionPointer const & serverConnection () const
 mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl More...
void bail (ErrorState *error)
 sends the given error to the initiator More...
void sendSuccess ()
 sends the encrypted connection to the initiator More...
void callBack ()
 a bail(), sendSuccess() helper: sends results to the initiator More...
void disconnect ()
 a bail(), sendSuccess() helper: stops monitoring the connection More...
void bypassCertValidator ()
 If called the certificates validator will not used. More...
void recordNegotiationDetails ()
void deleteThis (const char *aReason)
void mustStop (const char *aReason)
bool done () const
 the job is destroyed in callEnd() when done() More...

Protected Attributes

HttpRequestPointer request
 peer connection trigger or cause More...
Comm::ConnectionPointer serverConn
 TCP connection to the peer. More...
AccessLogEntryPointer al
 info for the future access.log entry More...
AsyncCall::Pointer callback
 we call this with the results More...
const char * stopReason
 reason for forcing done() to be true More...
const char * typeName
 kid (leaf) class name, for debugging More...
AsyncCall::Pointer inCall
 the asynchronous call being handled, if any More...
const InstanceId< AsyncJobid
 job identifier More...

Private Member Functions

 CBDATA_CLASS (PeekingPeerConnector)
void tunnelInsteadOfNegotiating ()
 Inform caller class that the SSL negotiation aborted. More...
void sslCrtvdHandleReply (Ssl::CertValidationResponsePointer)
 Process response from cert validator helper. More...
Security::CertErrorssslCrtvdCheckForErrors (Ssl::CertValidationResponse const &, ErrorDetailPointer &)
 Check SSL errors returned from cert validator against sslproxy_cert_error access list. More...
void negotiateSsl ()
 Comm::SetSelect() callback. Direct calls tickle/resume negotiations. More...

Static Private Member Functions

static void NegotiateSsl (int fd, void *data)
 A wrapper for Comm::SetSelect() notifications. More...

Private Attributes

Comm::ConnectionPointer clientConn
 TCP connection to the client. More...
AsyncCall::Pointer closeHandler
 we call this when the connection closed More...
bool splice
 whether we are going to splice or not More...
bool serverCertificateHandled
 whether handleServerCertificate() succeeded More...
time_t negotiationTimeout
 the SSL connection timeout to use More...
time_t startTime
 when the peer connector negotiation started More...
bool useCertValidator_
std::queue< SBufurlsOfMissingCerts
 The list of URLs where missing certificates should be downloaded. More...
unsigned int certsDownloads
 the number of downloaded missing certificates More...

Static Private Attributes

static const unsigned int MaxCertsDownloads = 10
 The maximum allowed missing certificates downloads. More...
static const unsigned int MaxNestedDownloads = 3
 The maximum allowed nested certificates downloads. More...

Detailed Description

Definition at line 20 of file PeekingPeerConnector.h.

Member Typedef Documentation

◆ Pointer

Definition at line 46 of file PeerConnector.h.

Constructor & Destructor Documentation

◆ PeekingPeerConnector()

Ssl::PeekingPeerConnector::PeekingPeerConnector ( HttpRequestPointer aRequest,
const Comm::ConnectionPointer aServerConn,
const Comm::ConnectionPointer aClientConn,
AsyncCall::Pointer aCallback,
const AccessLogEntryPointer alp,
const time_t  timeout = 0 

Definition at line 23 of file PeekingPeerConnector.h.

References Security::PeerConnector::request.

Member Function Documentation

◆ bail()

void Security::PeerConnector::bail ( ErrorState error)

◆ bypassCertValidator()

void Security::PeerConnector::bypassCertValidator ( )

Definition at line 149 of file PeerConnector.h.

References Security::PeerConnector::useCertValidator_.

◆ callBack()

void Security::PeerConnector::callBack ( )

◆ callEnd()

void AsyncJob::callEnd ( )

◆ callException()

◆ callStart()

void AsyncJob::callStart ( AsyncCall call)

◆ canBeCalled()

bool AsyncJob::canBeCalled ( AsyncCall call) const

Definition at line 101 of file AsyncJob.cc.

References AsyncCall::cancel(), debugs, HERE(), AsyncJob::inCall, and NULL.

◆ cbCheckForPeekAndSpliceDone()

void Ssl::PeekingPeerConnector::cbCheckForPeekAndSpliceDone ( Acl::Answer  answer,
void *  data 

Definition at line 30 of file PeekingPeerConnector.cc.

References CallJobHere1, checkForPeekAndSpliceDone(), and data.

Referenced by checkForPeekAndSplice().


Ssl::PeekingPeerConnector::CBDATA_CLASS ( PeekingPeerConnector  )

◆ certDownloadingDone()

void Security::PeerConnector::certDownloadingDone ( SBuf object,
int  status 

◆ checkForMissingCertificates()

bool Security::PeerConnector::checkForMissingCertificates ( )

Run the certificates list sent by the SSL server and check if there are missing certificates. Adds to the urlOfMissingCerts list the URLS of missing certificates if this information provided by the issued certificates with Authority Info Access extension.

Definition at line 607 of file PeerConnector.cc.

References BIO_get_data(), debugs, fd_table, Ssl::missingChainCertificatesUrls(), Downloader::nestedLevel(), request(), and Ssl::ServerBio::serverCertificatesIfAny().

◆ checkForPeekAndSplice()

void Ssl::PeekingPeerConnector::checkForPeekAndSplice ( )

◆ checkForPeekAndSpliceDone()

void Ssl::PeekingPeerConnector::checkForPeekAndSpliceDone ( Acl::Answer  answer)

Definition at line 38 of file PeekingPeerConnector.cc.

References Acl::Answer::allowed(), and Acl::Answer::kind.

Referenced by cbCheckForPeekAndSpliceDone().

◆ checkForPeekAndSpliceGuess()

Ssl::BumpMode Ssl::PeekingPeerConnector::checkForPeekAndSpliceGuess ( ) const

Definition at line 117 of file PeekingPeerConnector.cc.

References Ssl::bumpBump, Ssl::bumpSplice, Ssl::bumpStare, debugs, and request().

◆ checkForPeekAndSpliceMatched()

◆ commCloseHandler()

void Security::PeerConnector::commCloseHandler ( const CommCloseCbParams params)

◆ commTimeoutHandler()

void Security::PeerConnector::commTimeoutHandler ( const CommTimeoutCbParams )

◆ deleteThis()

void AsyncJob::deleteThis ( const char *  aReason)

◆ disconnect()

void Security::PeerConnector::disconnect ( )

Definition at line 473 of file PeerConnector.cc.

References comm_remove_close_handler(), and commUnsetConnTimeout().

◆ done()

bool AsyncJob::done ( ) const

◆ doneAll()

bool Security::PeerConnector::doneAll ( ) const

Reimplemented from AsyncJob.

Definition at line 60 of file PeerConnector.cc.

References callback, and AsyncJob::doneAll().

◆ getTlsContext()

Security::ContextPointer Ssl::PeekingPeerConnector::getTlsContext ( )

Must implemented by the kid classes to return the TLS context object to use for building the encryption context objects.

Implements Security::PeerConnector.

Definition at line 134 of file PeekingPeerConnector.cc.

References Config, SquidConfig::ssl_client, and SquidConfig::sslContext.

◆ handleNegotiateError()

void Security::PeerConnector::handleNegotiateError ( const int  result)

Called when the negotiation step aborted because data needs to be transferred to/from server or on error. In the first case setups the appropriate Comm::SetSelect handler. In second case fill an error and report to the PeerConnector caller.

◆ handleServerCertificate()

void Ssl::PeekingPeerConnector::handleServerCertificate ( )

Updates associated client connection manager members if the server certificate was received from the server.

Definition at line 356 of file PeekingPeerConnector.cc.

References fd_table, and request().

◆ initialize()

◆ mustStop()

◆ negotiate()

void Security::PeerConnector::negotiate ( )

Performs a single secure connection negotiation step. It is called multiple times until the negotiation finishes or aborts.

Definition at line 169 of file PeerConnector.cc.

References Security::Connect(), debugs, fd_table, Security::IoResult::ioError, Security::IoResult::ioSuccess, Security::IoResult::ioWantRead, and Security::IoResult::ioWantWrite.

◆ negotiateSsl()

void Security::PeerConnector::negotiateSsl ( )

Definition at line 364 of file PeerConnector.cc.

References CallJobHere.

◆ NegotiateSsl()

void Security::PeerConnector::NegotiateSsl ( int  fd,
void *  data 

Definition at line 354 of file PeerConnector.cc.

References data.

◆ noteNegotiationDone()

void Ssl::PeekingPeerConnector::noteNegotiationDone ( ErrorState error)

Called when the SSL negotiation to the server completed and the certificates validated using the cert validator.

errorif not NULL the SSL negotiation was aborted with an error

Reimplemented from Security::PeerConnector.

Definition at line 216 of file PeekingPeerConnector.cc.

References Ssl::CommonHostName(), debugs, ERR_GATEWAY_FAILURE, error(), fd_table, Here, Comm::IsConnOpen(), request(), Http::scInternalServerError, and _request::url.

◆ noteNegotiationError()

◆ noteWantRead()

void Security::PeerConnector::noteWantRead ( )

Called when the openSSL SSL_connect fnction request more data from the remote SSL server. Sets the read timeout and sets the Squid COMM_SELECT_READ handler.

Definition at line 371 of file PeerConnector.cc.

References BIO_get_data(), COMM_SELECT_READ, commSetConnTimeout(), Security::PeerConnector::commTimeoutHandler(), DBG_IMPORTANT, debugs, fd_table, Ssl::ServerBio::gotHello(), Ssl::ServerBio::gotHelloFailed(), Ssl::ServerBio::holdRead(), JobCallback, Comm::MortalReadTimeout(), and Comm::SetSelect().

◆ noteWantWrite()

void Ssl::PeekingPeerConnector::noteWantWrite ( )

Called when the openSSL SSL_connect function needs to write data to the remote SSL server. Sets the Squid COMM_SELECT_WRITE handler.

Reimplemented from Security::PeerConnector.

Definition at line 280 of file PeekingPeerConnector.cc.

References BIO_get_data(), Ssl::ServerBio::bumpMode(), Ssl::bumpPeek, Ssl::bumpStare, debugs, fd_table, Ssl::ServerBio::holdWrite(), and Security::PeerConnector::noteWantWrite().

◆ recordNegotiationDetails()

void Security::PeerConnector::recordNegotiationDetails ( )

Called after negotiation finishes to record connection details for logging

Definition at line 151 of file PeerConnector.cc.

References BIO_get_data(), fd_table, and Ssl::ServerBio::receivedHelloDetails().

◆ sendSuccess()

void Security::PeerConnector::sendSuccess ( )

Definition at line 466 of file PeerConnector.cc.

◆ serverCertificateVerified()

void Ssl::PeekingPeerConnector::serverCertificateVerified ( )

◆ serverConnection()

Comm::ConnectionPointer const& Security::PeerConnector::serverConnection ( ) const

◆ sslCrtvdCheckForErrors()

Security::CertErrors * Security::PeerConnector::sslCrtvdCheckForErrors ( Ssl::CertValidationResponse const &  resp,
ErrorDetailPointer errDetails 

◆ sslCrtvdHandleReply()

◆ sslFinalized()

bool Security::PeerConnector::sslFinalized ( )

Called after negotiation has finished. Cleans up TLS/SSL state. Returns false if we are now waiting for the certs validation job. Otherwise, returns true, regardless of negotiation success/failure.

Definition at line 203 of file PeerConnector.cc.

References asyncCall(), DBG_IMPORTANT, debugs, Ssl::CertValidationRequest::domainName, ERR_GATEWAY_FAILURE, Ssl::CertValidationRequest::errors, fd_table, NULL, request(), Http::scInternalServerError, Ssl::CertValidationRequest::ssl, ssl_ex_index_server, ssl_ex_index_ssl_errors, Security::PeerConnector::sslCrtvdHandleReply(), Ssl::CertValidationHelper::Submit(), and Ssl::TheConfig.

◆ start()

void Security::PeerConnector::start ( )

Reimplemented from AsyncJob.

Definition at line 67 of file PeerConnector.cc.

References assert, debugs, ERR_CONNECT_FAIL, fd_table, Comm::IsConnOpen(), request(), Http::scBadGateway, and AsyncJob::start().

◆ Start()

◆ startCertDownloading()

void Security::PeerConnector::startCertDownloading ( SBuf url)

◆ startTunneling()

void Ssl::PeekingPeerConnector::startTunneling ( )

Definition at line 263 of file PeekingPeerConnector.cc.

References BIO_get_data(), fd_table, request(), and switchToTunnel().

◆ status()

const char * Security::PeerConnector::status ( ) const

for debugging, starts with space

Reimplemented from AsyncJob.

Definition at line 513 of file PeerConnector.cc.

References buf, and NULL.

◆ swanSong()

void Security::PeerConnector::swanSong ( )

◆ toCbdata()

virtual void* CbdataParent::toCbdata ( )
pure virtualinherited

◆ tunnelInsteadOfNegotiating()

void Ssl::PeekingPeerConnector::tunnelInsteadOfNegotiating ( )

Member Data Documentation

◆ al

AccessLogEntryPointer Security::PeerConnector::al

Definition at line 157 of file PeerConnector.h.

◆ callback

AsyncCall::Pointer Security::PeerConnector::callback

Definition at line 158 of file PeerConnector.h.

Referenced by Security::PeerConnector::PeerConnector().

◆ certsDownloads

unsigned int Security::PeerConnector::certsDownloads

Definition at line 185 of file PeerConnector.h.

◆ clientConn

Comm::ConnectionPointer Ssl::PeekingPeerConnector::clientConn

Definition at line 77 of file PeekingPeerConnector.h.

◆ closeHandler

AsyncCall::Pointer Ssl::PeekingPeerConnector::closeHandler

Definition at line 78 of file PeekingPeerConnector.h.

◆ id

const InstanceId<AsyncJob> AsyncJob::id

Definition at line 72 of file AsyncJob.h.

◆ inCall

AsyncCall::Pointer AsyncJob::inCall

◆ MaxCertsDownloads

const unsigned int Security::PeerConnector::MaxCertsDownloads = 10

Definition at line 175 of file PeerConnector.h.

◆ MaxNestedDownloads

const unsigned int Security::PeerConnector::MaxNestedDownloads = 3

Definition at line 177 of file PeerConnector.h.

◆ negotiationTimeout

time_t Security::PeerConnector::negotiationTimeout

Definition at line 180 of file PeerConnector.h.

◆ noteFwdPconnUse

bool Security::PeerConnector::noteFwdPconnUse

Definition at line 65 of file PeerConnector.h.

◆ request

HttpRequestPointer Security::PeerConnector::request

◆ serverCertificateHandled

bool Ssl::PeekingPeerConnector::serverCertificateHandled

Definition at line 80 of file PeekingPeerConnector.h.

◆ serverConn

Comm::ConnectionPointer Security::PeerConnector::serverConn

◆ splice

bool Ssl::PeekingPeerConnector::splice

Definition at line 79 of file PeekingPeerConnector.h.

◆ startTime

time_t Security::PeerConnector::startTime

Definition at line 181 of file PeerConnector.h.

◆ stopReason

const char* AsyncJob::stopReason

◆ typeName

◆ urlsOfMissingCerts

std::queue<SBuf> Security::PeerConnector::urlsOfMissingCerts

Definition at line 184 of file PeerConnector.h.

◆ useCertValidator_

bool Security::PeerConnector::useCertValidator_

whether the certificate validator should bypassed

Definition at line 182 of file PeerConnector.h.

Referenced by Security::PeerConnector::bypassCertValidator().

The documentation for this class was generated from the following files:






Web Site Translations