Eduard Bagdasaryan | 24 Jun 15:09 2016

[PATCH] Update all stored headers on revalidation

Hello,

According to RFC 7234 section 4.3.4. when a proxy receives 304 (Not 
Modified)
response, it should update every header, except Warning headers (which need
special processing). Also RFC 7232 section 4.1. does not prohibit origin 
servers
from sending any headers in 304 responses. That means that Squid now 
should not
ignore headers, which earlier were considered as malicious/faulty.
These changes were originated from another project, which is going to make
collapsing for revalidation requests work.

Regards,
Eduard.
_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
Eliezer Croitoru | 22 Jun 10:28 2016
Picon

HTTP2 push related question.

I am having troubles in understanding the benefits of HTTP 2 push messages
and I am looking a starter point on how to look at the subject.
I am sure that there are applicable usage for it and I remember that xmpp
and many other protocols are using this feature already.
But I still do not understand in what way it will extend the protocol?
The situation of a PUSH as I understand it would be when you kind of "trust"
the origin server and for specific applications.
Today normal web pages are already pushing data to the web browsers but with
PUSH as I understand it means that for example a 1GB file can be pushed to
the client.

Any redirections are welcome,
Eliezer

----
Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> 
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer <at> ngtech.co.il

Attachment (winmail.dat): application/ms-tnef, 82 KiB
_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
Vieri | 22 Jun 09:36 2016
Picon

[PATCH] avoid flooding cache.log with "uninitialized value" messages from ext_wbinfo_group_acl helper script

(sorry if I previously posted in HTML format)

Hi,

With default debug_options too many "uninitialized value" messages in /var/log/squid/cache.log;
Use of uninitialized value $ans in concatenation (.) or string at
/usr/libexec/squid/ext_wbinfo_group_acl line 204, <STDIN> line 44.
Use of uninitialized value $ans in concatenation (.) or string at
/usr/libexec/squid/ext_wbinfo_group_acl line 205, <STDIN> line 44.

Minor issue fixed with this patch.

Thanks,

Vieri
Attachment (ext_wbinfo_group_acl.pl.in.diff): application/octet-stream, 446 bytes
_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
Vieri | 22 Jun 09:22 2016
Picon

[PATCH] avoid flooding cache.log with "uninitialized value" messages from ext_wbinfo_group_acl helper script

Hi,

With default debug_options too many "uninitialized value" messages in /var/log/squid/cache.log;
Use of uninitialized value $ans in concatenation (.) or string at /usr/libexec/squid/ext_wbinfo_group_acl line 204, <STDIN> line 44.
Use of uninitialized value $ans in concatenation (.) or string at /usr/libexec/squid/ext_wbinfo_group_acl line 205, <STDIN> line 44.

Minor issue fixed with this patch.

Thanks,

Vieri

Attachment (ext_wbinfo_group_acl.pl.in.diff): application/octet-stream, 446 bytes
_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
Amos Jeffries | 22 Jun 06:42 2016
Picon

[PATCH] GnuTLS session resume

This patch shuffles session resume to libsecurity and implements it for
GnuTLS.

As-is it relies on the previous LockingPointer API patch redesign for a
generic reset() method.

Amos
=== modified file 'src/CachePeer.cc'
--- src/CachePeer.cc	2016-01-01 00:12:18 +0000
+++ src/CachePeer.cc	2016-06-21 10:06:55 +0000
 <at>  <at>  -25,41 +25,40  <at>  <at> 
     typelist(NULL),
     access(NULL),
     weight(1),
     basetime(0),
 #if USE_CACHE_DIGESTS
     digest(NULL),
     digest_url(NULL),
 #endif
     tcp_up(0),
     n_addresses(0),
     rr_count(0),
     next(NULL),
     testing_now(false),
     login(NULL),
     connect_timeout(0),
     connect_fail_limit(0),
     max_conn(0),
     domain(NULL),
 #if USE_OPENSSL
     sslContext(NULL),
-    sslSession(NULL),
 #endif
     front_end_https(0),
     connection_auth(2 /* auto */)
 {
     memset(&stats, 0, sizeof(stats));
     stats.logged_state = PEER_ALIVE;

     memset(&icp, 0, sizeof(icp));
     icp.port = CACHE_ICP_PORT;
     icp.version = ICP_VERSION_CURRENT;

 #if USE_HTCP
     memset(&htcp, 0, sizeof(htcp));
 #endif
     memset(&options, 0, sizeof(options));
     memset(&mcast, 0, sizeof(mcast));
     memset(&carp, 0, sizeof(carp));
 #if USE_AUTH
     memset(&userhash, 0, sizeof(userhash));
 #endif
 <at>  <at>  -85,26 +84,23  <at>  <at> 

 #if USE_CACHE_DIGESTS
     cbdataReferenceDone(digest);
     xfree(digest_url);
 #endif

     delete next;

     xfree(login);

     delete standby.pool;

     // the mgr job will notice that its owner is gone and stop
     PeerPoolMgr::Checkpoint(standby.mgr, "peer gone");

     xfree(domain);

 #if USE_OPENSSL
     if (sslContext)
         SSL_CTX_free(sslContext);
-
-    if (sslSession)
-        SSL_SESSION_free(sslSession);
 #endif
 }

=== modified file 'src/CachePeer.h'
--- src/CachePeer.h	2016-01-01 00:12:18 +0000
+++ src/CachePeer.h	2016-06-21 10:06:56 +0000
 <at>  <at>  -167,30 +167,28  <at>  <at> 
         unsigned int hash;
         double load_multiplier;
         double load_factor; /* normalized weight value */
     } sourcehash;

     char *login;        /* Proxy authorization */
     time_t connect_timeout;
     int connect_fail_limit;
     int max_conn;
     struct {
         PconnPool *pool; ///< idle connection pool for this peer
         CbcPointer<PeerPoolMgr> mgr; ///< pool manager
         int limit; ///< the limit itself
         bool waitingForClose; ///< a conn must close before we open a standby conn
     } standby; ///< optional "cache_peer standby=limit" feature
     char *domain;       /* Forced domain */

     /// security settings for peer connection
     Security::PeerOptions secure;
     Security::ContextPtr sslContext;
-#if USE_OPENSSL
-    SSL_SESSION *sslSession;
-#endif
+    Security::SessionStatePointer sslSession;

     int front_end_https;
     int connection_auth;
 };

 #endif /* SQUID_CACHEPEER_H_ */

=== modified file 'src/adaptation/icap/ServiceRep.cc'
--- src/adaptation/icap/ServiceRep.cc	2016-01-15 06:47:59 +0000
+++ src/adaptation/icap/ServiceRep.cc	2016-06-21 10:06:56 +0000
 <at>  <at>  -17,43 +17,40  <at>  <at> 
 #include "adaptation/icap/ServiceRep.h"
 #include "base/TextException.h"
 #include "comm/Connection.h"
 #include "ConfigParser.h"
 #include "Debug.h"
 #include "fde.h"
 #include "globals.h"
 #include "HttpReply.h"
 #include "ip/tools.h"
 #include "SquidConfig.h"
 #include "SquidTime.h"

 #define DEFAULT_ICAP_PORT   1344
 #define DEFAULT_ICAPS_PORT 11344

 CBDATA_NAMESPACED_CLASS_INIT(Adaptation::Icap, ServiceRep);

 Adaptation::Icap::ServiceRep::ServiceRep(const ServiceConfigPointer &svcCfg):
     AsyncJob("Adaptation::Icap::ServiceRep"), Adaptation::Service(svcCfg),
     sslContext(NULL),
-#if USE_OPENSSL
-    sslSession(NULL),
-#endif
     theOptions(NULL), theOptionsFetcher(0), theLastUpdate(0),
     theBusyConns(0),
     theAllWaiters(0),
     connOverloadReported(false),
     theIdleConns(NULL),
     isSuspended(0), notifying(false),
     updateScheduled(false),
     wasAnnouncedUp(true), // do not announce an "up" service at startup
     isDetached(false)
 {
     setMaxConnections();
     theIdleConns = new IdleConnList("ICAP Service", NULL);
 }

 Adaptation::Icap::ServiceRep::~ServiceRep()
 {
     delete theIdleConns;
     Must(!theOptionsFetcher);
     delete theOptions;
 }

=== modified file 'src/adaptation/icap/ServiceRep.h'
--- src/adaptation/icap/ServiceRep.h	2016-01-01 00:12:18 +0000
+++ src/adaptation/icap/ServiceRep.h	2016-06-21 10:06:56 +0000
 <at>  <at>  -94,43 +94,41  <at>  <at> 

     void noteNewWaiter() {theAllWaiters++;} ///< New xaction waiting for service to be up or available
     void noteGoneWaiter(); ///< An xaction is not waiting any more for service to be available
     bool existWaiters() const {return (theAllWaiters > 0);} ///< if there are xactions waiting for the
service to be available

     //AsyncJob virtual methods
     virtual bool doneAll() const { return Adaptation::Initiator::doneAll() && false;}
     virtual void callException(const std::exception &e);

     virtual void detach();
     virtual bool detached() const;

 public: // treat these as private, they are for callbacks only
     void noteTimeToUpdate();
     void noteTimeToNotify();

     // receive either an ICAP OPTIONS response header or an abort message
     virtual void noteAdaptationAnswer(const Answer &answer);

     Security::ContextPtr sslContext;
-#if USE_OPENSSL
-    SSL_SESSION *sslSession;
-#endif
+    Security::SessionStatePointer sslSession;

 private:
     // stores Prepare() callback info

     struct Client {
         Pointer service; // one for each client to preserve service
         AsyncCall::Pointer callback;
     };

     typedef std::vector<Client> Clients;
     // TODO: rename to theUpWaiters
     Clients theClients; // all clients waiting for a call back

     Options *theOptions;
     CbcPointer<Adaptation::Initiate> theOptionsFetcher; // pending ICAP OPTIONS transaction
     time_t theLastUpdate; // time the options were last updated

     /// FIFO queue of xactions waiting for a connection slot and not yet notified
     /// about it; xaction is removed when notification is scheduled
     std::deque<Client> theNotificationWaiters;

=== modified file 'src/adaptation/icap/Xaction.cc'
--- src/adaptation/icap/Xaction.cc	2016-02-02 15:39:23 +0000
+++ src/adaptation/icap/Xaction.cc	2016-06-21 12:14:42 +0000
 <at>  <at>  -708,60 +708,53  <at>  <at> 
 {
     return false;
 }

 #if USE_OPENSSL
 Security::SessionPtr
 Ssl::IcapPeerConnector::initializeSsl()
 {
     auto ssl = Ssl::PeerConnector::initializeSsl();
     if (!ssl)
         return nullptr;

     assert(!icapService->cfg().secure.sslDomain.isEmpty());
     SBuf *host = new SBuf(icapService->cfg().secure.sslDomain);
     SSL_set_ex_data(ssl, ssl_ex_index_server, host);

     ACLFilledChecklist *check = (ACLFilledChecklist *)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check);
     if (check)
         check->dst_peer_name = *host;

-    if (icapService->sslSession)
-        SSL_set_session(ssl, icapService->sslSession);
+    Security::GetSessionResumeData(Security::SessionPointer(ssl), icapService->sslSession);

     return ssl;
 }

 void
 Ssl::IcapPeerConnector::noteNegotiationDone(ErrorState *error)
 {
     if (error)
         return;

     const int fd = serverConnection()->fd;
-    auto ssl = fd_table[fd].ssl.get();
-    assert(ssl);
-    if (!SSL_session_reused(ssl)) {
-        if (icapService->sslSession)
-            SSL_SESSION_free(icapService->sslSession);
-        icapService->sslSession = SSL_get1_session(ssl);
-    }
+    Security::GetSessionResumeData(fd_table[fd].ssl, icapService->sslSession);
 }

 void
 Adaptation::Icap::Xaction::handleSecuredPeer(Security::EncryptorAnswer &answer)
 {
     Must(securer != NULL);
     securer = NULL;

     if (closer != NULL) {
         if (answer.conn != NULL)
             comm_remove_close_handler(answer.conn->fd, closer);
         else
             closer->cancel("securing completed");
         closer = NULL;
     }

     if (answer.error.get()) {
         if (answer.conn != NULL)
             answer.conn->close();
         debugs(93, 2, typeName <<

=== modified file 'src/client_side.cc'
--- src/client_side.cc	2016-05-20 13:20:27 +0000
+++ src/client_side.cc	2016-06-21 10:06:56 +0000
 <at>  <at>  -2640,41 +2640,41  <at>  <at> 
         /* NOTREACHED */
     }
     return 1;
 }

 /** negotiate an SSL connection */
 static void
 clientNegotiateSSL(int fd, void *data)
 {
     ConnStateData *conn = (ConnStateData *)data;
     X509 *client_cert;
     auto ssl = fd_table[fd].ssl.get();

     int ret;
     if ((ret = Squid_SSL_accept(conn, clientNegotiateSSL)) <= 0) {
         if (ret < 0) // An error
             conn->clientConnection->close();
         return;
     }

-    if (SSL_session_reused(ssl)) {
+    if (Security::SessionIsResumed(fd_table[fd].ssl)) {
         debugs(83, 2, "clientNegotiateSSL: Session " << SSL_get_session(ssl) <<
                " reused on FD " << fd << " (" << fd_table[fd].ipaddr << ":" << (int)fd_table[fd].remote_port << ")");
     } else {
         if (Debug::Enabled(83, 4)) {
             /* Write out the SSL session details.. actually the call below, but
              * OpenSSL headers do strange typecasts confusing GCC.. */
             /* PEM_write_SSL_SESSION(debug_log, SSL_get_session(ssl)); */
 #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x00908000L
             PEM_ASN1_write((i2d_of_void *)i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char
*)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL);

 #elif (ALLOW_ALWAYS_SSL_SESSION_DETAIL == 1)

             /* When using gcc 3.3.x and OpenSSL 0.9.7x sometimes a compile error can occur here.
             * This is caused by an unpredicatble gcc behaviour on a cast of the first argument
             * of PEM_ASN1_write(). For this reason this code section is disabled. To enable it,
             * define ALLOW_ALWAYS_SSL_SESSION_DETAIL=1.
             * Because there are two possible usable cast, if you get an error here, try the other
             * commented line. */

             PEM_ASN1_write((int(*)())i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char
*)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL);
=== modified file 'src/security/Session.cc'
--- src/security/Session.cc	2016-02-17 21:03:29 +0000
+++ src/security/Session.cc	2016-06-21 15:21:41 +0000
 <at>  <at>  -1,38 +1,77  <at>  <at> 
 /*
  * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
  *
  * Squid software is distributed under GPLv2+ license and includes
  * contributions from numerous individuals and organizations.
  * Please see the COPYING and CONTRIBUTORS files for details.
  */

 #include "squid.h"
 #include "anyp/PortCfg.h"
 #include "base/RunnersRegistry.h"
 #include "ipc/MemMap.h"
 #include "security/Session.h"
 #include "SquidConfig.h"

 #define SSL_SESSION_ID_SIZE 32
 #define SSL_SESSION_MAX_SIZE 10*1024

+bool
+Security::SessionIsResumed(const Security::SessionPointer &s)
+{
+    return
+#if USE_OPENSSL
+        SSL_session_reused(s.get()) == 1;
+#elif USE_GNUTLS
+        gnutls_session_is_resumed(s.get()) != 0;
+#else
+        false;
+#endif
+}
+
+void
+Security::GetSessionResumeData(const Security::SessionPointer &s,
Security::SessionStatePointer &data)
+{
+    if (!SessionIsResumed(s)) {
+#if USE_OPENSSL
+        data.reset(SSL_get1_session(s.get()));
+#elif USE_GNUTLS
+        gnutls_datum_t *tmp = nullptr;
+        (void)gnutls_session_get_data2(s.get(), tmp);
+        data.reset(tmp);
+#endif
+    }
+}
+
+void
+Security::SetSessionResumeData(const Security::SessionPtr &s, const
Security::SessionStatePointer &data)
+{
+    if (s) {
+#if USE_OPENSSL
+        (void)SSL_set_session(s, data.get());
+#elif USE_GNUTLS
+        (void)gnutls_session_set_data(s, data->data, data->size);
+#endif
+    }
+}
+
 static bool
 isTlsServer()
 {
     for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) {
         if (s->secure.encryptTransport)
             return true;
         if (s->flags.tunnelSslBumping)
             return true;
     }

     return false;
 }

 void
 initializeSessionCache()
 {
 #if USE_OPENSSL
     // Check if the MemMap keys and data are enough big to hold
     // session ids and session data
     assert(SSL_SESSION_ID_SIZE >= MEMMAP_SLOT_KEY_SIZE);

=== modified file 'src/security/Session.h'
--- src/security/Session.h	2016-02-13 12:12:10 +0000
+++ src/security/Session.h	2016-06-21 10:06:56 +0000
 <at>  <at>  -14,40 +14,59  <at>  <at> 

 #if USE_OPENSSL
 #if HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
 #endif
 #endif

 #if USE_GNUTLS
 #if HAVE_GNUTLS_GNUTLS_H
 #include <gnutls/gnutls.h>
 #endif
 #endif

 namespace Security {

 #if USE_OPENSSL
 typedef SSL* SessionPtr;
 CtoCpp1(SSL_free, SSL *);
 typedef LockingPointer<SSL, Security::SSL_free_cpp, CRYPTO_LOCK_SSL> SessionPointer;

+typedef SSL_SESSION* SessionStatePtr;
+CtoCpp1(SSL_SESSION_free, SSL_SESSION *);
+typedef LockingPointer<SSL_SESSION, Security::SSL_SESSION_free_cpp, CRYPTO_LOCK_SSL_SESSION> SessionStatePointer;
+
 #elif USE_GNUTLS
 typedef gnutls_session_t SessionPtr;
 CtoCpp1(gnutls_deinit, gnutls_session_t);
 // TODO: Convert to Locking pointer.
 // Locks can be implemented attaching locks counter to gnutls_session_t
 // objects using the gnutls_session_set_ptr()/gnutls_session_get_ptr ()
 // library functions
 typedef TidyPointer<struct gnutls_session_int, Security::gnutls_deinit_cpp> SessionPointer;

+typedef gnutls_datum_t *SessionStatePtr;
+CtoCpp1(gnutls_free, gnutls_datum_t *);
+typedef TidyPointer<gnutls_datum_t, Security::gnutls_free_cpp> SessionStatePointer;
+
 #else
 // use void* so we can check against NULL
 typedef void* SessionPtr;
 typedef TidyPointer<void, nullptr> SessionPointer;
+typedef TidyPointer<void, nullptr> SessionStatePointer;

 #endif

+/// whether the session is a resumed one
+bool SessionIsResumed(const Security::SessionPointer &);
+
+/// Retrieve the data needed to resume this session on a later connection
+void GetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &);
+
+/// Set the data for resuming a previous session.
+/// Needs to be done before using the SessionPointer for a handshake.
+void SetSessionResumeData(const Security::SessionPtr &, const Security::SessionStatePointer &);
+
 } // namespace Security

 #endif /* SQUID_SRC_SECURITY_SESSION_H */

=== modified file 'src/ssl/BlindPeerConnector.cc'
--- src/ssl/BlindPeerConnector.cc	2016-01-27 16:56:38 +0000
+++ src/ssl/BlindPeerConnector.cc	2016-06-21 10:06:56 +0000
 <at>  <at>  -29,54 +29,49  <at>  <at> 
     return ::Config.ssl_client.sslContext;
 }

 Security::SessionPtr
 Ssl::BlindPeerConnector::initializeSsl()
 {
     auto ssl = Ssl::PeerConnector::initializeSsl();
     if (!ssl)
         return nullptr;

     if (const CachePeer *peer = serverConnection()->getPeer()) {
         assert(peer);

         // NP: domain may be a raw-IP but it is now always set
         assert(!peer->secure.sslDomain.isEmpty());

         // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
         SBuf *host = new SBuf(peer->secure.sslDomain);
         SSL_set_ex_data(ssl, ssl_ex_index_server, host);

-        if (peer->sslSession)
-            SSL_set_session(ssl, peer->sslSession);
+        Security::SetSessionResumeData(ssl, peer->sslSession);
     } else {
         SBuf *hostName = new SBuf(request->url.host());
         SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostName);
     }

     return ssl;
 }

 void
 Ssl::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
 {
     if (error) {
         // XXX: forward.cc calls peerConnectSucceeded() after an OK TCP connect but
         // we call peerConnectFailed() if SSL failed afterwards. Is that OK?
         // It is not clear whether we should call peerConnectSucceeded/Failed()
         // based on TCP results, SSL results, or both. And the code is probably not
         // consistent in this aspect across tunnelling and forwarding modules.
         if (CachePeer *p = serverConnection()->getPeer())
             peerConnectFailed(p);
         return;
     }

-    const int fd = serverConnection()->fd;
-    Security::SessionPtr ssl = fd_table[fd].ssl.get();
-    if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) {
-        if (serverConnection()->getPeer()->sslSession)
-            SSL_SESSION_free(serverConnection()->getPeer()->sslSession);
-
-        serverConnection()->getPeer()->sslSession = SSL_get1_session(ssl);
+    if (auto *peer = serverConnection()->getPeer()) {
+        const int fd = serverConnection()->fd;
+        Security::GetSessionResumeData(fd_table[fd].ssl, peer->sslSession);
     }
 }

_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
Eduard Bagdasaryan | 21 Jun 19:13 2016

Dealing with RegisteredHeadersHash.gperf

Hello,

In my current task I need to change some of header definitions, but it is
unclear how to do this correctly. My understanding is that I need to
modify http/RegisteredHeadersHash.gperf, and then run
"make gperf-files" to generate RegisteredHeadersHash.cci. Is this correct?
The http/RegisteredHeadersHash.gperf has a comment that it was 
auto-generated
from RegisteredHeadersHash.gperf. How could it be generated from itself?

Thank you,
Eduard.
_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
Amos Jeffries | 21 Jun 12:00 2016
Picon

[PATCH] LockingPointer API update

With GnuTLS support it is sometimes more useful to use a TidyPointer
where a LockingPointer is used by OpenSSL.

This patch converts the LockingPointer resetAndLock() to a virtual
reset() so callers can use the right one without needing to care which
type of pointer they are handling.

Doing this has already uncovered two instances of the
TidyPointer::reset() being wrongly used on cert LockingPointer objects.
There may be more hidden away, I only noticed the ones that were being
used near a resetAndLock() on the same variable. That could have been
leading to early unexpected free'ing of those certs in some code paths.

This change needs to be checked by someone with an OpenSSL bumping
installation please.

Amos
=== modified file 'src/base/TidyPointer.h'
--- src/base/TidyPointer.h	2016-03-31 23:33:45 +0000
+++ src/base/TidyPointer.h	2016-06-20 22:24:54 +0000
 <at>  <at>  -12,53 +12,53  <at>  <at> 
 /**
  * A pointer that deletes the object it points to when the pointer's owner or
  * context is gone. Similar to std::unique_ptr but without confusing assignment
  * and with a customizable cleanup method. Prevents memory leaks in
  * the presence of exceptions and processing short cuts.
 */
 template <typename T, void (*DeAllocator)(T *t)> class TidyPointer
 {
 public:
     /// Delete callback.
     typedef void DCB (T *t);
     TidyPointer(T *t = NULL)
         :   raw(t) {}
 public:
     bool operator !() const { return !raw; }
     explicit operator bool() const { return raw; }
     /// Returns raw and possibly NULL pointer
     T *get() const { return raw; }

     /// Reset raw pointer - delete last one and save new one.
-    void reset(T *t) {
+    virtual void reset(T *t) {
         deletePointer();
         raw = t;
     }

     /// Forget the raw pointer without freeing it. Become a nil pointer.
     T *release() {
         T *ret = raw;
         raw = NULL;
         return ret;
     }
     /// Deallocate raw pointer.
-    ~TidyPointer() {
+    virtual ~TidyPointer() {
         deletePointer();
     }
 private:
     /// Forbidden copy constructor.
     TidyPointer(TidyPointer<T, DeAllocator> const &);
     /// Forbidden assigment operator.
     TidyPointer <T, DeAllocator> & operator = (TidyPointer<T, DeAllocator> const &);
     /// Deallocate raw pointer. Become a nil pointer.
     void deletePointer() {
         if (raw) {
             DeAllocator(raw);
         }
         raw = NULL;
     }
     T *raw; ///< pointer to T object or NULL
 };

 /// DeAllocator for pointers that need free(3) from the std C library
 template<typename T> void tidyFree(T *p)
 {

=== modified file 'src/client_side.cc'
--- src/client_side.cc	2016-05-20 13:20:27 +0000
+++ src/client_side.cc	2016-06-20 22:36:29 +0000
 <at>  <at>  -2879,55 +2879,55  <at>  <at> 
                     SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl);
                     Ssl::configureUnconfiguredSslContext(sslContext, signAlgorithm, *port);
                 } else {
                     auto ctx = Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port);
                     getSslContextDone(ctx, true);
                 }
                 return;
             }
         }
     }
     getSslContextDone(NULL);
 }

 void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &certProperties)
 {
     certProperties.commonName =  sslCommonName_.isEmpty() ? sslConnectHostOrIp.termedBuf() : sslCommonName_.c_str();

     // fake certificate adaptation requires bump-server-first mode
     if (!sslServerBump) {
         assert(port->signingCert.get());
-        certProperties.signWithX509.resetAndLock(port->signingCert.get());
+        certProperties.signWithX509.reset(port->signingCert.get());
         if (port->signPkey.get())
-            certProperties.signWithPkey.resetAndLock(port->signPkey.get());
+            certProperties.signWithPkey.reset(port->signPkey.get());
         certProperties.signAlgorithm = Ssl::algSignTrusted;
         return;
     }

     // In case of an error while connecting to the secure server, use a fake
     // trusted certificate, with no mimicked fields and no adaptation
     // algorithms. There is nothing we can mimic so we want to minimize the
     // number of warnings the user will have to see to get to the error page.
     assert(sslServerBump->entry);
     if (sslServerBump->entry->isEmpty()) {
         if (X509 *mimicCert = sslServerBump->serverCert.get())
-            certProperties.mimicCert.resetAndLock(mimicCert);
+            certProperties.mimicCert.reset(mimicCert);

         ACLFilledChecklist checklist(NULL, sslServerBump->request.getRaw(),
                                      clientConnection != NULL ? clientConnection->rfc931 : dash_str);
         checklist.sslErrors = cbdataReference(sslServerBump->sslErrors());

         for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != NULL; ca = ca->next) {
             // If the algorithm already set, then ignore it.
             if ((ca->alg == Ssl::algSetCommonName && certProperties.setCommonName) ||
                     (ca->alg == Ssl::algSetValidAfter && certProperties.setValidAfter) ||
                     (ca->alg == Ssl::algSetValidBefore && certProperties.setValidBefore) )
                 continue;

             if (ca->aclList && checklist.fastCheck(ca->aclList) == ACCESS_ALLOWED) {
                 const char *alg = Ssl::CertAdaptAlgorithmStr[ca->alg];
                 const char *param = ca->param;

                 // For parameterless CN adaptation, use hostname from the
                 // CONNECT request.
                 if (ca->alg == Ssl::algSetCommonName) {
                     if (!param)
 <at>  <at>  -2946,48 +2946,48  <at>  <at> 

         certProperties.signAlgorithm = Ssl::algSignEnd;
         for (sslproxy_cert_sign *sg = Config.ssl_client.cert_sign; sg != NULL; sg = sg->next) {
             if (sg->aclList && checklist.fastCheck(sg->aclList) == ACCESS_ALLOWED) {
                 certProperties.signAlgorithm = (Ssl::CertSignAlgorithm)sg->alg;
                 break;
             }
         }
     } else {// if (!sslServerBump->entry->isEmpty())
         // Use trusted certificate for a Squid-generated error
         // or the user would have to add a security exception
         // just to see the error page. We will close the connection
         // so that the trust is not extended to non-Squid content.
         certProperties.signAlgorithm = Ssl::algSignTrusted;
     }

     assert(certProperties.signAlgorithm != Ssl::algSignEnd);

     if (certProperties.signAlgorithm == Ssl::algSignUntrusted) {
         assert(port->untrustedSigningCert.get());
-        certProperties.signWithX509.resetAndLock(port->untrustedSigningCert.get());
-        certProperties.signWithPkey.resetAndLock(port->untrustedSignPkey.get());
+        certProperties.signWithX509.reset(port->untrustedSigningCert.get());
+        certProperties.signWithPkey.reset(port->untrustedSignPkey.get());
     } else {
         assert(port->signingCert.get());
-        certProperties.signWithX509.resetAndLock(port->signingCert.get());
+        certProperties.signWithX509.reset(port->signingCert.get());

         if (port->signPkey.get())
-            certProperties.signWithPkey.resetAndLock(port->signPkey.get());
+            certProperties.signWithPkey.reset(port->signPkey.get());
     }
     signAlgorithm = certProperties.signAlgorithm;

     certProperties.signHash = Ssl::DefaultSignHash;
 }

 void
 ConnStateData::getSslContextStart()
 {
     // XXX starting SSL with a pipeline of requests still waiting for non-SSL replies?
     assert(pipeline.count() < 2); // the CONNECT is okay for now. Anything else is a bug.
     pipeline.terminateAll(0);
     /* careful: terminateAll(0) above frees request, host, etc. */

     if (port->generateHostCertificates) {
         Ssl::CertificateProperties certProperties;
         buildSslCertGenerationParams(certProperties);
         sslBumpCertKey = certProperties.dbKey().c_str();
         assert(sslBumpCertKey.size() > 0 && sslBumpCertKey[0] != '\0');

=== modified file 'src/security/LockingPointer.h'
--- src/security/LockingPointer.h	2016-03-31 23:33:45 +0000
+++ src/security/LockingPointer.h	2016-06-20 22:54:50 +0000
 <at>  <at>  -32,58 +32,61  <at>  <at> 
         extern "C++" inline void function ## _cpp(argument a) { \
             function(a); \
         }

 namespace Security
 {

 /**
  * Add SSL locking (a.k.a. reference counting) and assignment to TidyPointer
  */
 template <typename T, void (*DeAllocator)(T *t), int lock>
 class LockingPointer: public TidyPointer<T, DeAllocator>
 {
 public:
     typedef TidyPointer<T, DeAllocator> Parent;
     typedef LockingPointer<T, DeAllocator, lock> SelfType;

     explicit LockingPointer(T *t = nullptr): Parent(t) {}

     explicit LockingPointer(const SelfType &o): Parent() {
-        resetAndLock(o.get());
+        reset(o.get());
     }
+    virtual ~LockingPointer() = default;

     SelfType &operator =(const SelfType & o) {
-        resetAndLock(o.get());
+        reset(o.get());
         return *this;
     }

 #if __cplusplus >= 201103L
     explicit LockingPointer(LockingPointer<T, DeAllocator, lock> &&o): Parent(o.release()) {
     }

     LockingPointer<T, DeAllocator, lock> &operator =(LockingPointer<T, DeAllocator, lock> &&o) {
         if (o.get() != this->get())
             this->reset(o.release());
         return *this;
     }
 #endif

-    void resetAndLock(T *t) {
+    virtual void reset(T *t) override {
         if (t != this->get()) {
-            this->reset(t);
+            // initial part must match TidyPointer::reset
+            this->TidyPointer<T, DeAllocator>::reset(t);
+            // then the locking
 #if USE_OPENSSL
             if (t)
                 CRYPTO_add(&t->references, 1, lock);
 #elif USE_GNUTLS
             // XXX: GnuTLS does not provide locking ?
 #else
             assert(false);
 #endif
         }
     }
 };

 } // namespace Security

 #endif /* SQUID_SRC_SECURITY_LOCKINGPOINTER_H */

=== modified file 'src/ssl/ErrorDetail.cc'
--- src/ssl/ErrorDetail.cc	2016-01-01 00:12:18 +0000
+++ src/ssl/ErrorDetail.cc	2016-06-20 22:39:28 +0000
 <at>  <at>  -611,48 +611,48  <at>  <at> 
         code_len = convert(++p, &t);
         if (code_len)
             errDetailStr.append(t);
         else
             errDetailStr.append("%");
         s = p + code_len;
     }
     errDetailStr.append(s, strlen(s));
 }

 const String &Ssl::ErrorDetail::toString() const
 {
     if (errDetailStr.size() == 0)
         buildDetail();
     return errDetailStr;
 }

 Ssl::ErrorDetail::ErrorDetail( Ssl::ssl_error_t err_no, X509 *cert, X509 *broken, const char
*aReason): error_no (err_no), lib_error_no(SSL_ERROR_NONE), errReason(aReason)
 {
     if (cert)
-        peer_cert.resetAndLock(cert);
+        peer_cert.reset(cert);

     if (broken)
-        broken_cert.resetAndLock(broken);
+        broken_cert.reset(broken);
     else
-        broken_cert.resetAndLock(cert);
+        broken_cert.reset(cert);

     detailEntry.error_no = SSL_ERROR_NONE;
 }

 Ssl::ErrorDetail::ErrorDetail(Ssl::ErrorDetail const &anErrDetail)
 {
     error_no = anErrDetail.error_no;
     request = anErrDetail.request;

     if (anErrDetail.peer_cert.get()) {
-        peer_cert.resetAndLock(anErrDetail.peer_cert.get());
+        peer_cert.reset(anErrDetail.peer_cert.get());
     }

     if (anErrDetail.broken_cert.get()) {
-        broken_cert.resetAndLock(anErrDetail.broken_cert.get());
+        broken_cert.reset(anErrDetail.broken_cert.get());
     }

     detailEntry = anErrDetail.detailEntry;

     lib_error_no = anErrDetail.lib_error_no;
 }

=== modified file 'src/ssl/PeekingPeerConnector.cc'
--- src/ssl/PeekingPeerConnector.cc	2016-05-18 16:35:36 +0000
+++ src/ssl/PeekingPeerConnector.cc	2016-06-20 22:40:27 +0000
 <at>  <at>  -212,41 +212,41  <at>  <at> 
         }
     }

     return ssl;
 }

 void
 Ssl::PeekingPeerConnector::noteNegotiationDone(ErrorState *error)
 {
     Security::SessionPtr ssl = fd_table[serverConnection()->fd].ssl.get();

     // Check the list error with
     if (!request->clientConnectionManager.valid() || ! ssl)
         return;

     // remember the server certificate from the ErrorDetail object
     if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) {
         if (!serverBump->serverCert.get()) {
             // remember the server certificate from the ErrorDetail object
             if (error && error->detail && error->detail->peerCert())
-                serverBump->serverCert.resetAndLock(error->detail->peerCert());
+                serverBump->serverCert.reset(error->detail->peerCert());
             else {
                 handleServerCertificate();
             }
         }

         if (error) {
             // For intercepted connections, set the host name to the server
             // certificate CN. Otherwise, we just hope that CONNECT is using
             // a user-entered address (a host name or a user-entered IP).
             const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted();
             if (request->flags.sslPeek && !isConnectRequest) {
                 if (X509 *srvX509 = serverBump->serverCert.get()) {
                     if (const char *name = Ssl::CommonHostName(srvX509)) {
                         request->url.host(name);
                         debugs(83, 3, "reset request host: " << name);
                     }
                 }
             }
         }
     }
 <at>  <at>  -333,41 +333,41  <at>  <at> 
         Security::SessionPtr ssl = fd_table[fd].ssl.get();
         Security::CertPointer serverCert(SSL_get_peer_certificate(ssl));
         if (!serverCert.get())
             return;

         serverCertificateHandled = true;

         // remember the server certificate for later use
         if (Ssl::ServerBump *serverBump = csd->serverBump()) {
             serverBump->serverCert.reset(serverCert.release());
         }
     }
 }

 void
 Ssl::PeekingPeerConnector::serverCertificateVerified()
 {
     if (ConnStateData *csd = request->clientConnectionManager.valid()) {
         Security::CertPointer serverCert;
         if(Ssl::ServerBump *serverBump = csd->serverBump())
-            serverCert.resetAndLock(serverBump->serverCert.get());
+            serverCert.reset(serverBump->serverCert.get());
         else {
             const int fd = serverConnection()->fd;
             Security::SessionPtr ssl = fd_table[fd].ssl.get();
             serverCert.reset(SSL_get_peer_certificate(ssl));
         }
         if (serverCert.get()) {
             csd->resetSslCommonName(Ssl::CommonHostName(serverCert.get()));
             debugs(83, 5, "HTTPS server CN: " << csd->sslCommonName() <<
                    " bumped: " << *serverConnection());
         }
     }
 }

 void
 Ssl::PeekingPeerConnector::tunnelInsteadOfNegotiating()
 {
     Must(callback != NULL);
     CbDialer *dialer = dynamic_cast<CbDialer*>(callback->getDialer());
     Must(dialer);
     dialer->answer().tunneled = true;

=== modified file 'src/ssl/ServerBump.cc'
--- src/ssl/ServerBump.cc	2016-02-13 12:12:10 +0000
+++ src/ssl/ServerBump.cc	2016-06-20 22:41:30 +0000
 <at>  <at>  -40,33 +40,33  <at>  <at> 
     // later, but an entry without any client will trim all its contents away.
     sc = storeClientListAdd(entry, this);
 }

 Ssl::ServerBump::~ServerBump()
 {
     debugs(33, 4, HERE << "destroying");
     if (entry) {
         debugs(33, 4, HERE << *entry);
         storeUnregister(sc, entry, this);
         entry->unlock("Ssl::ServerBump");
     }
 }

 void
 Ssl::ServerBump::attachServerSSL(SSL *ssl)
 {
     if (serverSSL.get())
         return;

-    serverSSL.resetAndLock(ssl);
+    serverSSL.reset(ssl);
 }

 const Ssl::CertErrors *
 Ssl::ServerBump::sslErrors() const
 {
     if (!serverSSL.get())
         return NULL;

     const Ssl::CertErrors *errs = static_cast<const
Ssl::CertErrors*>(SSL_get_ex_data(serverSSL.get(), ssl_ex_index_ssl_errors));
     return errs;
 }

=== modified file 'src/ssl/cert_validate_message.cc'
--- src/ssl/cert_validate_message.cc	2016-01-05 10:55:14 +0000
+++ src/ssl/cert_validate_message.cc	2016-06-20 22:41:38 +0000
 <at>  <at>  -199,52 +199,52  <at>  <at> 
     id = old.id;
     error_no = old.error_no;
     error_reason = old.error_reason;
     error_depth = old.error_depth;
     setCert(old.cert.get());
 }

 Ssl::CertValidationResponse::RecvdError & Ssl::CertValidationResponse::RecvdError::operator =
(const RecvdError &old)
 {
     id = old.id;
     error_no = old.error_no;
     error_reason = old.error_reason;
     error_depth = old.error_depth;
     setCert(old.cert.get());
     return *this;
 }

 void
 Ssl::CertValidationResponse::RecvdError::setCert(X509 *aCert)
 {
-    cert.resetAndLock(aCert);
+    cert.reset(aCert);
 }

 Ssl::CertValidationMsg::CertItem::CertItem(const CertItem &old)
 {
     name = old.name;
     setCert(old.cert.get());
 }

 Ssl::CertValidationMsg::CertItem & Ssl::CertValidationMsg::CertItem::operator = (const CertItem &old)
 {
     name = old.name;
     setCert(old.cert.get());
     return *this;
 }

 void
 Ssl::CertValidationMsg::CertItem::setCert(X509 *aCert)
 {
-    cert.resetAndLock(aCert);
+    cert.reset(aCert);
 }

 const std::string Ssl::CertValidationMsg::code_cert_validate("cert_validate");
 const std::string Ssl::CertValidationMsg::param_domain("domain");
 const std::string Ssl::CertValidationMsg::param_cert("cert_");
 const std::string Ssl::CertValidationMsg::param_error_name("error_name_");
 const std::string Ssl::CertValidationMsg::param_error_reason("error_reason_");
 const std::string Ssl::CertValidationMsg::param_error_cert("error_cert_");
 const std::string Ssl::CertValidationMsg::param_error_depth("error_depth_");
 const std::string Ssl::CertValidationMsg::param_proto_version("proto_version");
 const std::string Ssl::CertValidationMsg::param_cipher("cipher");

=== modified file 'src/ssl/gadgets.cc'
--- src/ssl/gadgets.cc	2016-06-14 18:12:14 +0000
+++ src/ssl/gadgets.cc	2016-06-20 22:41:58 +0000
 <at>  <at>  -492,41 +492,41  <at>  <at> 
                 if (X509_add_ext(cert.get(), ext, -1))
                     ++addedExtensions;
             }
         }

         addedExtensions += mimicExtensions(cert, properties.mimicCert, properties.signWithX509);

         // According to RFC 5280, using extensions requires v3 certificate.
         if (addedExtensions)
             X509_set_version(cert.get(), 2); // value 2 means v3
     }

     return true;
 }

 static bool generateFakeSslCertificate(Security::CertPointer & certToStore,
Ssl::EVP_PKEY_Pointer & pkeyToStore, Ssl::CertificateProperties const &properties, 
Ssl::BIGNUM_Pointer const &serial)
 {
     Ssl::EVP_PKEY_Pointer pkey;
     // Use signing certificates private key as generated certificate private key
     if (properties.signWithPkey.get())
-        pkey.resetAndLock(properties.signWithPkey.get());
+        pkey.reset(properties.signWithPkey.get());
     else // if not exist generate one
         pkey.reset(Ssl::createSslPrivateKey());

     if (!pkey)
         return false;

     Security::CertPointer cert(X509_new());
     if (!cert)
         return false;

     // Set pub key and serial given by the caller
     if (!X509_set_pubkey(cert.get(), pkey.get()))
         return false;
     if (!setSerialNumber(X509_get_serialNumber(cert.get()), serial.get()))
         return false;

     // Fill the certificate with the required properties
     if (!buildCertificate(cert, properties))
         return false;

=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc	2016-06-02 09:52:43 +0000
+++ src/ssl/support.cc	2016-06-20 22:43:17 +0000
 <at>  <at>  -289,41 +289,41  <at>  <at> 
             if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_errors,  (void *)errs)) {
                 debugs(83, 2, "Failed to set ssl error_no in ssl_verify_cb: Certificate " << buffer);
                 delete errs;
                 errs = NULL;
             }
         } else // remember another error number
             errs->push_back_unique(Ssl::CertError(error_no, broken_cert));

         if (const char *err_descr = Ssl::GetErrorDescr(error_no))
             debugs(83, 5, err_descr << ": " << buffer);
         else
             debugs(83, DBG_IMPORTANT, "SSL unknown certificate error " << error_no << " in " << buffer);

         // Check if the certificate error can be bypassed.
         // Infinity validation loop errors can not bypassed.
         if (error_no != SQUID_X509_V_ERR_INFINITE_VALIDATION) {
             if (check) {
                 ACLFilledChecklist *filledCheck = Filled(check);
                 assert(!filledCheck->sslErrors);
                 filledCheck->sslErrors = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert));
-                filledCheck->serverCert.resetAndLock(peer_cert);
+                filledCheck->serverCert.reset(peer_cert);
                 if (check->fastCheck() == ACCESS_ALLOWED) {
                     debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer);
                     ok = 1;
                 } else {
                     debugs(83, 5, "confirming SSL error " << error_no);
                 }
                 delete filledCheck->sslErrors;
                 filledCheck->sslErrors = NULL;
                 filledCheck->serverCert.reset(NULL);
             }
             // If the certificate validator is used then we need to allow all errors and
             // pass them to certficate validator for more processing
             else if (Ssl::TheConfig.ssl_crt_validator) {
                 ok = 1;
             }
         }
     }

     if (Ssl::TheConfig.ssl_crt_validator) {
         // Check if we have stored certificates chain. Store if not.
 <at>  <at>  -1282,42 +1282,42  <at>  <at> 
 }

 bool Ssl::generateUntrustedCert(Security::CertPointer &untrustedCert, EVP_PKEY_Pointer
&untrustedPkey, Security::CertPointer const  &cert, EVP_PKEY_Pointer const & pkey)
 {
     // Generate the self-signed certificate, using a hard-coded subject prefix
     Ssl::CertificateProperties certProperties;
     if (const char *cn = CommonHostName(cert.get())) {
         certProperties.commonName = "Not trusted by \"";
         certProperties.commonName += cn;
         certProperties.commonName += "\"";
     } else if (const char *org = getOrganization(cert.get())) {
         certProperties.commonName =  "Not trusted by \"";
         certProperties.commonName += org;
         certProperties.commonName += "\"";
     } else
         certProperties.commonName =  "Not trusted";
     certProperties.setCommonName = true;
     // O, OU, and other CA subject fields will be mimicked
     // Expiration date and other common properties will be mimicked
     certProperties.signAlgorithm = Ssl::algSignSelf;
-    certProperties.signWithPkey.resetAndLock(pkey.get());
-    certProperties.mimicCert.resetAndLock(cert.get());
+    certProperties.signWithPkey.reset(pkey.get());
+    certProperties.mimicCert.reset(cert.get());
     return Ssl::generateSslCertificate(untrustedCert, untrustedPkey, certProperties);
 }

 SSL *
 SslCreate(Security::ContextPtr sslContext, const int fd, Ssl::Bio::Type type, const char *squidCtx)
 {
     if (fd < 0) {
         debugs(83, DBG_IMPORTANT, "Gone connection");
         return NULL;
     }

     const char *errAction = NULL;
     int errCode = 0;
     if (auto ssl = SSL_new(sslContext)) {
         // without BIO, we would call SSL_set_fd(ssl, fd) instead
         if (BIO *bio = Ssl::Bio::Create(fd, type)) {
             Ssl::Bio::Link(ssl, bio); // cannot fail

             fd_table[fd].ssl.reset(ssl);
             fd_table[fd].read_method = &ssl_read_method;
 <at>  <at>  -1335,53 +1335,53  <at>  <at> 

     debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction <<
            ": " << ERR_error_string(errCode, NULL));
     return NULL;
 }

 SSL *
 Ssl::CreateClient(Security::ContextPtr sslContext, const int fd, const char *squidCtx)
 {
     return SslCreate(sslContext, fd, Ssl::Bio::BIO_TO_SERVER, squidCtx);
 }

 SSL *
 Ssl::CreateServer(Security::ContextPtr sslContext, const int fd, const char *squidCtx)
 {
     return SslCreate(sslContext, fd, Ssl::Bio::BIO_TO_CLIENT, squidCtx);
 }

 Ssl::CertError::CertError(ssl_error_t anErr, X509 *aCert, int aDepth): code(anErr), depth(aDepth)
 {
-    cert.resetAndLock(aCert);
+    cert.reset(aCert);
 }

 Ssl::CertError::CertError(CertError const &err): code(err.code), depth(err.depth)
 {
-    cert.resetAndLock(err.cert.get());
+    cert.reset(err.cert.get());
 }

 Ssl::CertError &
 Ssl::CertError::operator = (const CertError &old)
 {
     code = old.code;
-    cert.resetAndLock(old.cert.get());
+    cert.reset(old.cert.get());
     return *this;
 }

 bool
 Ssl::CertError::operator == (const CertError &ce) const
 {
     return code == ce.code && cert.get() == ce.cert.get();
 }

 bool
 Ssl::CertError::operator != (const CertError &ce) const
 {
     return code != ce.code || cert.get() != ce.cert.get();
 }

 static int
 store_session_cb(SSL *ssl, SSL_SESSION *session)
 {
     if (!Ssl::SessionCache)
         return 0;

_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
noc | 21 Jun 05:48 2016

Build failed in Jenkins: trunk-full-matrix » gcc,d-centos-7 #185

See <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-centos-7/185/>

------------------------------------------
Started by upstream project "trunk-full-matrix" build number 185
originally caused by:
 Started by an SCM change
Building remotely on d-centos-7 (gcc farm 7.2.1511 CentOS-7.2.1511 CentOS buildmaster clang
amd64-CentOS-7.2.1511 amd64-CentOS amd64) in workspace <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-centos-7/ws/>
[WS-CLEANUP] Deleting project workspace...
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-centos-7/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-centos-7/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-centos-7/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
[description-setter] Description set: 
_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
noc | 21 Jun 05:28 2016

Build failed in Jenkins: trunk-full-matrix » clang,d-debian-jessie #185

See <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-debian-jessie/185/>

------------------------------------------
Started by upstream project "trunk-full-matrix" build number 185
originally caused by:
 Started by an SCM change
Building remotely on d-debian-jessie (gcc farm 8.2 amd64-Debian buildmaster Debian clang
amd64-Debian-8.2 amd64 Debian-8.2) in workspace <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-debian-jessie/ws/>
[WS-CLEANUP] Deleting project workspace...
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-debian-jessie/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-debian-jessie/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-debian-jessie/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
[description-setter] Description set: 
_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
noc | 21 Jun 05:26 2016

Build failed in Jenkins: trunk-full-matrix » clang,d-centos-7 #185

See <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-centos-7/185/>

------------------------------------------
Started by upstream project "trunk-full-matrix" build number 185
originally caused by:
 Started by an SCM change
Building remotely on d-centos-7 (gcc farm 7.2.1511 CentOS-7.2.1511 CentOS buildmaster clang
amd64-CentOS-7.2.1511 amd64-CentOS amd64) in workspace <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-centos-7/ws/>
[WS-CLEANUP] Deleting project workspace...
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-centos-7/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-centos-7/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=clang,label=d-centos-7/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
[description-setter] Description set: 
_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
noc | 21 Jun 05:16 2016

Build failed in Jenkins: trunk-full-matrix » gcc,d-debian-unstable #185

See <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-debian-unstable/185/>

------------------------------------------
Started by upstream project "trunk-full-matrix" build number 185
originally caused by:
 Started by an SCM change
Building remotely on d-debian-unstable (gcc farm unstable amd64-Debian buildmaster Debian clang
amd64-Debian-unstable Debian-unstable amd64) in workspace <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-debian-unstable/ws/>
[WS-CLEANUP] Deleting project workspace...
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-debian-unstable/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-debian-unstable/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/trunk-full-matrix/compiler=gcc,label=d-debian-unstable/ws/>
bzr: ERROR: Connection closed: Connection lost while sending request. 
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
[description-setter] Description set: 
_______________________________________________
squid-dev mailing list
squid-dev <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Gmane