On 25/05/2015 11:30 p.m., Paulo Matias wrote: > Hi, > > Sorry for getting this sent to squid-users instead of the adequate > mailing list for patches (squid-dev). We have tried to send the > patch to squid-dev without a subscription (as recommended in > http://www.squid-cache.org/Support/mailing-lists.html#squid-dev), > but perhaps the message did not get to the list administrator. > Could you subscribe then please and post it (or the updated version after below). This has effects that I'd like our SSL devs to double check. For my part on the audit: * please separate into two patches - one for the renegotiation changes, one for the EECDH. * please avoid #ifdef and #ifndef in new code. - use #if defined() style instead. Renegotiation: * please wrap the entire ssl_info_cb() definition in the #if conditionals and the appropriate calling lines. I know its a bit messy, but increasingly the library builds are lacking renegtiation support entirely so this means smaller/faster builds. EECDH: FYI: with the deprecation of SSLv3 I'm working now towards a cleanup of the SSL options with removals where possible. * the DH parameters I think would be better added as a new option "tls-dh=curve:/path/to/params" where the 'curve' part is optional and implies EC when present - non-EC when absent. * SINGLE_ECDH_USE needs to be documented in release-4.sgml "New <em>options=SINGLE_ECDH_USE</em> parameter to ..." * The ECDH changes affect both https_port and http_port. They need separate listings for each under changed directives, duplicate text on the line items is fine. * please implement (duplicate) all this UI parse change using the Security::PeerOptions object (src/security/PeerOptions.*) - the src/ssl/* code for UI parsing and config storage is 'legacy' only use by http(s)_port directives. - this may require some small changes suitable for use on client contexts - UI options added to Security::PeerOptions get documented in release-4.sgml as changes for both cache_peer and tls_outgoing_options. - also in cf.data.pre for those directives * configureSslEECDH() return true in the event that the chosen configuration options are not even available. - please make an #else condition that displays an ERROR message at level DBG_CRITICAL about the option(s) not being available, then return false. - variable 'ok' can then become const (define on assignment) and move fully inside the #if case. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
