Re: [PATCH] Support bump-ssl-server-first and mimic SSL server certificates

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 17 Jul 2012 13:57:46 +1200

On 17.07.2012 04:15, Tsantilas Christos wrote:
> This is one more patch for bump-ssl-server-first feature.
> This is handle most of Amos comments and allow use old ssl_bump
> syntax:
> ssl_bump allow/deny acl ...
>
> This patch try to implement the following rules:
> 1. Convert allow to client-first, with a deprecation warning. One
> such warning per config.
> 2. Convert deny to none, with a deprecation warning. One such
> warning
> per config.
> 3. If there was a conversion, make the implicit negation rule
> explicit by adding either "none all" or "client-first all" as
> appropriate. Emit a warning specifying which rule has been added.
> This
> will need to be done after the entire configuration has been parsed,
> of
> course. It uses the rrFinalizeConfig Runner.
> 4. Issue a fatal error if a mixture of old and new keywords is
> found.
>
>
> I am attaching two patches here. The first is the changes over the
> original bump-ssl-server-first patch, which requested by Amos. And
> the
> second is the final patch.
>
> Regards,
> Christos

Thank you.

Are the new WARNING really that important that they always be at
CRITICAL level?
I would think the impact was a bit less (no impact in the case of deny)
    s/DBG_CRITICAL/DBG_PARSE_NOTE(2)/ for the deny conversion?
    s/DBG_CRITICAL/DBG_PARSE_NOTE(DBG_IMPORTANT)/ for the allow
conversion?

... using the DBG_PARSE_NOTE(x) macro which is now available in trunk,
it bumps the message up to CRITICAL when -k parse is used, but outputs
at the indicated value during normal startup/reconfigure operations.

Also, the "allow" message would seem to qualify for the "SECURITY
NOTICE:" prefix instead of just "WARNING:".
   http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_Error_Messages

That polish can be done on commit.

+1 from me now, with or without the above.

Amos
Received on Tue Jul 17 2012 - 01:57:49 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 19 2012 - 12:00:03 MDT