Re: [Squid Web Proxy Wiki] Update of "Features/AddonHelpers" by ChristosTsantilas

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Thu, 20 Sep 2012 13:54:31 +0300

Hi Amos,
 I show you had already fix most of my mistakes in wiki page. Thank you.

On 09/20/2012 09:40 AM, Amos Jeffries wrote:
> On 20/09/2012 9:40 a.m., wiki_at_wiki.squid-cache.org wrote:
>
>> + === SSL server certificate validator ===
>> +
>> + ## start sslcrtvd protocol
>> + This interface is similar to the SSL certificate generation interface.
>> +
>> + Input ''line'' received from Squid:
>> + {{{
>> + request size [body]
>> + }}}
>> +
>
> Please make sure this interface is supporting concurrency. The helper
> core routines do.

The helperSubmit method used to submit request so looking in the code
looks that both SSL certificate generation and validation helper
interfaces should support concurrency.
But I did not check it. Todo...

> Which also makes me wonder why multiple certificates details are being
> exchanged using ID suffixes on the keys instead of as submitted
> individually down multiple concurrency channels?

A SSL server may sent to the client (squid) mode than one certificates,
in the case it uses intermediate certificates.
The certificate validator helper needs all these certificates to
validate the certificate. The id suffixes in certificate means the 1st
certificate in chain, the 2nd certificate in chain etc:

cert_validate 1519 host=dmz.example-domain.com
errors=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
cert_1= -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
cert_2= -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

In the above example the X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN error
probably means that the cert_2 (an intermediate certificate) is
problematic (self signed)

>
>> + /!\ ''line'' refers to a logical input. '''body''' may contain \n
>> characters so each line in this format is delimited by a 0x01 byte
>> instead of the standard \n byte.
>> +
>> + request::
>> + The type of action being requested. Presently the code
>> '''cert_validate''' is the only request made.
>> +
>> + size::
>> + Total size of the following request bytes taken by the
>> '''key=pair''' parameters and '''body'''.
>> +
>> + body::
>> + Consist of key=value pairs.
>
> In which case document the input format properly as:
> request size [key-pairs]
>
> no need to confuse people with an abstract "body" thing which even the
> code won't mention.

OK.

>
>> The supported key=value pairs are:
>> + || host || FQDN host name or the domain ||
>> + || errors || A comma separated list of the detected openSSL
>> certificate validation errors ||
>> + || cert_'''''ID''''' || Server certificate. The ID is an index
>> number for this certificate. This parameter exist as many as the
>> server certificates are||
>
> What about tag= to tag the transaction with a meta low/group tag?
> What about passing an existing transaction tag to the helper?
> What about log= ? (ie a loggable compaction of all those errors)

At this time we do not need to tag or log transactions. The ID has a
different sense. Please see above.

>
>> +
>> + result::
>> + The result code '''OK''' indicates that the certificate validation
>> is successful. The result code '''ERROR''' indicates that an error
>> occurred.
>
> "ERR" is the standard result code opposite to "OK" (ie invalid
> certificate on succcessful lookup). For helper internal errors please
> use "BH" with a message= key-pair.

OK. Just returning "OK" or "BH" for certificate validation is enough,
because helper is just overwritting or rechecking the SSL errors.
This is what we do in the first implementation we have...

But we may want to rerurn "OK" only if the validator found the
certificate good (no errors returned) and "ERR" if exist errors in one
of the certificates.
Opinions?

>
> Amos
>
Received on Thu Sep 20 2012 - 10:54:46 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 21 2012 - 12:00:07 MDT