Josh Crane | 1 Aug 03:59 2014
Picon

peek/splice

Hi there

Just had a couple of quick questions re the peek and splice branch code below..

>>

SSL *clientSsl = fd_table[request->clientConnectionManager->clientConnection->fd].ssl;
BIO *b = SSL_get_rbio(clientSsl);
Ssl::ClientBio *clnBio = static_cast<Ssl::ClientBio *>(b->ptr);
const Ssl::Bio::sslFeatures &features = clnBio->getFeatures();
...
if (!features.serverName.empty())
     SSL_set_tlsext_host_name(ssl, features.serverName.c_str());

<<

Given the above and related code within bio/clientbio, I'd like to be able to call SSL_get_servername() or
similar to grab the target https hostname (via TLS SNI) from within httpsAccept() (ie before a peek is performed).

Is this possible?
and given that's all I want from the peek/slice branch atm, is it easy enough to merge the relevant sections
with stable to achieve what I want?

Also, is it possible to get the peek/slice branch neatly packaged for config/compilation on generic
(various) distributions?

Cheers! 		 	   		  
Amos Jeffries | 31 Jul 11:29 2014
Picon

[PATCH] OAuth 2.0 Bearer authentication

RFC 6750 OAuth 2.0 Authorization Framework: Bearer Token Usage

The attached patch adds a minimal implementation of Bearer
authentication scheme to Squid. It consists of three components:

1) Squid build system infrastructure for building Bearer authentication

2) A testing fake-auth helper (bearer_fake_auth).

Helper which takes Bearer helper input an always returns OK.

3) Bearer authentication library ("module") for Squid.

 * implements the logics for squid.conf "Bearer" auth_param scheme and
necessary configuration options.

 * implements the helper management and API for Bearer helpers.

 * implements logics for www-auth and proxy-auth header parsing and
generating.

At present no restriction between HTTP and HTTPS is defined by Squid.
Challenges will be made for both. It is left to the client to ensure
adequate security on the connection it sends Bearer tokens.

 * implements helper driven TTL for token caching.

Due to significant security risks with Bearer tokens the TTL is not
configurable from squid.conf. Instead the helper is expected to provide
a ttl= parameter from the auth backend explicitly determining the time
(Continue reading)

Amos Jeffries | 31 Jul 02:35 2014
Picon

Re: /bzr/squid3/trunk/ r13517: Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes

Hi Christos,

Can you confirm or deny for me that these %USER_CERT_* macros map to the
%ssl::>cert_* logformat codes?

Their existence is one of the outstanding issues with external_acl_type
upgrade to logformat.

Cheers
Amos

On 31/07/2014 3:31 a.m., Christos Tsantilas wrote:
> ------------------------------------------------------------
> revno: 13517
> committer: Christos Tsantilas <chtsanti <at> users.sourceforge.net>
> branch nick: trunk
> timestamp: Wed 2014-07-30 18:31:10 +0300
> message:
>   Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes
>   
>     * The attribute part of the %USER_CA_CERT_xx and %CA_CERT_xx formating codes
>       is not parsed correctly, make these formating codes useless.
>     * The %USER_CA_CERT_xx documented wrongly
> modified:
>   src/cf.data.pre
>   src/external_acl.cc
> 

noc | 30 Jul 18:22 2014

Build failed in Jenkins: 3.HEAD-coadvisor #351

See <http://build.squid-cache.org/job/3.HEAD-coadvisor/351/>

------------------------------------------
Started by an SCM change
Building remotely on co-advisor (gcc i386 i386-Ubuntu 12.04 Ubuntu i386-Ubuntu-12.04 Ubuntu-12.04) in
workspace <http://build.squid-cache.org/job/3.HEAD-coadvisor/ws/>
Cleaning workspace...
$ bzr checkout --lightweight http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/3.HEAD-coadvisor/ws/>
Getting local revision...
$ bzr revision-info -d <http://build.squid-cache.org/job/3.HEAD-coadvisor/ws/>
info result: bzr revision-info -d <http://build.squid-cache.org/job/3.HEAD-coadvisor/ws/>
returned 0. Command output: "13518 chtsanti <at> users.sourceforge.net-20140730160419-fifkmwph1oc5waq9
" stderr: ""
RevisionState revno:13518 revid:chtsanti <at> users.sourceforge.net-20140730160419-fifkmwph1oc5waq9
[3.HEAD-coadvisor] $ /bin/sh -xe /tmp/hudson7354721507298418814.sh
+ /home/jenkins/script/makeOneTest.pl --config=/home/jenkins/script/config.cfg
--audited=http://eu.kinkie.it:880/coadvisor-artifacts/52/archive/result --jjid=351 --jobname=3.HEAD-coadvisor
Make has failed:  at /home/jenkins/script/makeOneTest.pl line 154.
Build step 'Execute shell' marked build as failure
Archiving artifacts

noc | 30 Jul 17:14 2014

Build failed in Jenkins: 3.HEAD-amd64-centos-6 #417

See <http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/417/changes>

Changes:

[Amos Jeffries] Cleanup: polish header masks and fix incorrect entries

------------------------------------------
[...truncated 5260 lines...]
	ccache g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc/squid.conf\"> -DDEFAULT_SQUID_DATA_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/share\"> -DDEFAULT_SQUID_CONFIG_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc\">   -I../.. -I../../include -I../../lib -I../../src -I../include    -I../src    -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT EventLoop.o -MD -MP -MF $depbase.Tpo -c -o EventLoop.o ../../src/EventLoop.cc &&\
	mv -f $depbase.Tpo $depbase.Po
depbase=`echo external_acl.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
	ccache g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc/squid.conf\"> -DDEFAULT_SQUID_DATA_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/share\"> -DDEFAULT_SQUID_CONFIG_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc\">   -I../.. -I../../include -I../../lib -I../../src -I../include    -I../src    -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT external_acl.o -MD -MP -MF $depbase.Tpo -c -o external_acl.o ../../src/external_acl.cc &&\
	mv -f $depbase.Tpo $depbase.Po
depbase=`echo ExternalACLEntry.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
	ccache g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc/squid.conf\"> -DDEFAULT_SQUID_DATA_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/share\"> -DDEFAULT_SQUID_CONFIG_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc\">   -I../.. -I../../include -I../../lib -I../../src -I../include    -I../src    -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT ExternalACLEntry.o -MD -MP -MF $depbase.Tpo -c -o ExternalACLEntry.o ../../src/ExternalACLEntry.cc &&\
	mv -f $depbase.Tpo $depbase.Po
depbase=`echo FadingCounter.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
	ccache g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc/squid.conf\"> -DDEFAULT_SQUID_DATA_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/share\"> -DDEFAULT_SQUID_CONFIG_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc\">   -I../.. -I../../include -I../../lib -I../../src -I../include    -I../src    -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT FadingCounter.o -MD -MP -MF $depbase.Tpo -c -o FadingCounter.o ../../src/FadingCounter.cc &&\
	mv -f $depbase.Tpo $depbase.Po
depbase=`echo fatal.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
	ccache g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc/squid.conf\"> -DDEFAULT_SQUID_DATA_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/share\"> -DDEFAULT_SQUID_CONFIG_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc\">   -I../.. -I../../include -I../../lib -I../../src -I../include    -I../src    -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT fatal.o -MD -MP -MF $depbase.Tpo -c -o fatal.o ../../src/fatal.cc &&\
	mv -f $depbase.Tpo $depbase.Po
depbase=`echo fd.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
	ccache g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc/squid.conf\"> -DDEFAULT_SQUID_DATA_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/share\"> -DDEFAULT_SQUID_CONFIG_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc\">   -I../.. -I../../include -I../../lib -I../../src -I../include    -I../src    -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT fd.o -MD -MP -MF $depbase.Tpo -c -o fd.o ../../src/fd.cc &&\
	mv -f $depbase.Tpo $depbase.Po
depbase=`echo fde.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
	ccache g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc/squid.conf\"> -DDEFAULT_SQUID_DATA_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/share\"> -DDEFAULT_SQUID_CONFIG_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc\">   -I../.. -I../../include -I../../lib -I../../src -I../include    -I../src    -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT fde.o -MD -MP -MF $depbase.Tpo -c -o fde.o ../../src/fde.cc &&\
	mv -f $depbase.Tpo $depbase.Po
depbase=`echo filemap.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
	ccache g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc/squid.conf\"> -DDEFAULT_SQUID_DATA_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/share\"> -DDEFAULT_SQUID_CONFIG_DIR=\"<http://build.squid-cache.org/job/3.HEAD-amd64-centos-6/ws/btlayer-00-default/squid-3.HEAD-BZR/_inst/etc\">   -I../.. -I../../include -I../../lib -I../../src -I../include    -I../src    -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT filemap.o -MD -MP -MF $depbase.Tpo -c -o filemap.o ../../src/filemap.cc &&\
(Continue reading)

noc | 29 Jul 16:09 2014

Jenkins build is back to normal : 3.HEAD-amd64-FreeBSD-7.2 #2248

See <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-7.2/2248/changes>

Markus Moeller | 26 Jul 21:24 2014

[PATCH] Kerberos configure patch + some cleanup

Hi

  Here is a patch which does rewrite the configure.ac and cleans up some 
code in the kerberos auth and kerberos ldap helper.  Additionally the 
kerberos ldap helper checks now for AD primary group membership too.

Markus 
Attachment (trunk_kerberos_cleanup_6.patch): application/octet-stream, 96 KiB
noc | 26 Jul 16:05 2014

Build failed in Jenkins: 3.HEAD-amd64-FreeBSD-10-clang #128

See <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-10-clang/128/>

------------------------------------------
Started by upstream project "3.HEAD-amd64-centos-6" build number 414
originally caused by:
 Started by user Amos Jeffries
Building remotely on rs-fbsd-10 (gcc freebsd-10.0-RELEASE farm amd64-freebsd-10.0-RELEASE
10.0-RELEASE clang freebsd amd64-freebsd amd64) in workspace <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-10-clang/ws/>
$ bzr revision-info -d <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-10-clang/ws/>
info result: bzr revision-info -d
<http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-10-clang/ws/> returned 3. Command
output: "" stderr: "bzr: ERROR: No such file:
u'/home/jenkins/.bzr/repository/indices/fe80b900a41cde7af9a6cbda9f3d26d7.rix': [Errno 2] No
such file or directory: u'/home/jenkins/.bzr/repository/indices/fe80b900a41cde7af9a6cbda9f3d26d7.rix'
"
[3.HEAD-amd64-FreeBSD-10-clang] $ bzr pull --overwrite http://bzr.squid-cache.org/bzr/squid3/trunk/
http://bzr.squid-cache.org/bzr/squid3/trunk is permanently redirected to http://bzr.squid-cache.org/bzr/squid3/trunk/
bzr: ERROR: No such file:
u'/usr/home/jenkins/.bzr/repository/indices/fe80b900a41cde7af9a6cbda9f3d26d7.rix': [Errno
2] No such file or directory: u'/usr/home/jenkins/.bzr/repository/indices/fe80b900a41cde7af9a6cbda9f3d26d7.rix'
ERROR: Failed to pull
Since BZR itself isn't crash safe, we'll clean the workspace so that on the next try we'll do a clean pull...
Retrying after 10 seconds
Cleaning workspace...
$ bzr branch http://bzr.squid-cache.org/bzr/squid3/trunk/ <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-10-clang/ws/>
bzr: ERROR: No such file:
u'/home/jenkins/.bzr/repository/indices/fe80b900a41cde7af9a6cbda9f3d26d7.rix': [Errno 2] No
such file or directory: u'/home/jenkins/.bzr/repository/indices/fe80b900a41cde7af9a6cbda9f3d26d7.rix'
ERROR: Failed to branch http://bzr.squid-cache.org/bzr/squid3/trunk/
Retrying after 10 seconds
(Continue reading)

noc | 25 Jul 15:03 2014

Build failed in Jenkins: 3.HEAD-amd64-ubuntu-saucy #279

See <http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/279/changes>

Changes:

[Amos Jeffries] Optimize Comm::Connection IP::address setting

Use an inline setter to set both local and remote IP address values in
one call.

------------------------------------------
[...truncated 35946 lines...]
Making uninstall in ident
make[3]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/ws/btlayer-02-maximus/squid-3.HEAD-BZR/_build/src/ident'>
make[3]: Nothing to be done for `uninstall'.
make[3]: Leaving directory `<http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/ws/btlayer-02-maximus/squid-3.HEAD-BZR/_build/src/ident'>
Making uninstall in log
make[3]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/ws/btlayer-02-maximus/squid-3.HEAD-BZR/_build/src/log'>
make[3]: Nothing to be done for `uninstall'.
make[3]: Leaving directory `<http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/ws/btlayer-02-maximus/squid-3.HEAD-BZR/_build/src/log'>
Making uninstall in ipc
make[3]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/ws/btlayer-02-maximus/squid-3.HEAD-BZR/_build/src/ipc'>
make[3]: Nothing to be done for `uninstall'.
make[3]: Leaving directory `<http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/ws/btlayer-02-maximus/squid-3.HEAD-BZR/_build/src/ipc'>
Making uninstall in mgr
make[3]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/ws/btlayer-02-maximus/squid-3.HEAD-BZR/_build/src/mgr'>
make[3]: Nothing to be done for `uninstall'.
make[3]: Leaving directory `<http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/ws/btlayer-02-maximus/squid-3.HEAD-BZR/_build/src/mgr'>
Making uninstall in ssl
make[3]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-amd64-ubuntu-saucy/ws/btlayer-02-maximus/squid-3.HEAD-BZR/_build/src/ssl'>
 ( cd
(Continue reading)

Amos Jeffries | 25 Jul 06:37 2014
Picon

Squid 3.5 release timetable

As luck would have it today is exactly 1 year since the first patch was
held in trunk for 3.5 series release.

Below is my current plan. Any objections please speak up.

1) Branching:

I hope this can be done next weekend. August 1-3, maybe the week after
if there are delays.

We have enough features to make it useful even though some of the larger
projects have not made it in.

However, to minimize work in stage-2 trunk needs to be relatively stable
before this happens. If any of you have patches lined up for commit or
about to be, please reply to this mail with details so we can triage
what gets in and what can hold off in audit.

Note that patches applied after branching may still get to 3.5, but will
have to be stable in trunk first.

Patches that are welcome any time:
 - documentation updates
 - security bug fixes

2) Documentation and stability testing

After branching we need to do as much testing as we can throw at the new
branch and update any missing documentation.

(Continue reading)

noc | 23 Jul 03:45 2014

Build failed in Jenkins: 3.HEAD-amd64-FreeBSD-9.1-clang #615

See <http://build.squid-cache.org/job/3.HEAD-amd64-FreeBSD-9.1-clang/615/changes>

Changes:

[Amos Jeffries] Fix unit test linker issues in testHttpReply and testStore

Also, update STUB files for comm.cc, event.cc, and libssl-squid.la

[Automatic source maintenance] SourceFormat Enforcement

[Christos Tsantilas] Fix tcp outgoing tos bugs

The tcp_outgoing_tos is buggy in trunk:
- The ToS is never set for packets of the first request of a TCP connection.
- The ToS is never set for HTTPS traffic no matter whether requests are bumped
or not.
- The ToS value is not set for ftp data connections

This patch solve the above problems:
- It moves the codes which sets the TOS value for a new connection from the
the comm_openex to a higher-level code, where the connection protocol
(IPv4 or IPv6) is known.
- Add code to set TOS value for ftp data connections.
- Add a check on parsing code to warn users if the configured ToS value has the
ECN bits set, and adjust the value to a correct one.

Notes
Currently squid support only passive ftp data connections. If squid in the
future supports active ftp connections, then some work required to TcpAcceptor
class to allow setting ToS values for connections established on squid listening
(Continue reading)


Gmane