www/178788: fix squid 'server-first ssl_bump' crash with specific openssl versions

Marcello Coutinho marcellocoutinho at gmail.com
Mon May 20 14:30:01 UTC 2013 

>Number:         178788
>Category:       www
>Synopsis:       fix squid 'server-first ssl_bump' crash with specific openssl versions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-www
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 20 14:30:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Marcello Coutinho
>Release:        8.3
>Organization:
>Environment:
FreeBSD bsd816.****.***.br 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Tue Jun 12 00:39:29 UTC 2012     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
Attached is a small fix to avoit squid crashing on specific openssl versions while using 'server-first ssl_bump'.

This patch was applied based on this list topic.
http://www.mail-archive.com/squid-users@squid-cache.org/msg89348.html

more detailed debug on it:
http://bugs.squid-cache.org/show_bug.cgi?id=3816
>How-To-Repeat:
use server-first ssl_bump with openssl version OpenSSL 0.9.8y 5 Feb 2013 for example.

>Fix:
change src/ssl/support.cc to change certificate fetch method depending on ssl version.

Patch attached with submission follows:

diff -Nru squid33.orig/Makefile squid33/Makefile
--- squid33.orig/Makefile	2013-05-20 11:11:42.000000000 -0300
+++ squid33/Makefile	2013-05-20 11:13:24.000000000 -0300
@@ -39,7 +39,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	3.3.${SQUID_STABLE_VER}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www ipv6
 MASTER_SITES=	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
 		http://mirrors.ccs.neu.edu/Squid/ \
diff -Nru squid33.orig/files/patch-src-ssl-support.cc squid33/files/patch-src-ssl-support.cc
--- squid33.orig/files/patch-src-ssl-support.cc	1969-12-31 21:00:00.000000000 -0300
+++ squid33/files/patch-src-ssl-support.cc	2013-05-16 22:50:17.000000000 -0300
@@ -0,0 +1,11 @@
+--- src/ssl/support.cc.orig     2013-05-09 08:59:19.000000000 -0500
++++ src/ssl/support.cc  2013-05-09 09:00:25.000000000 -0500
+@@ -1413,7 +1413,7 @@
+ {
+     // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e
+     // Try to retrieve certificate directly from SSL_CTX object
+-#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL
++#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL || OPENSSL_VERSION_NUMBER == 0x0090819fL
+     X509 ***pCert = (X509 ***)sslContext->cert;
+     X509 * cert = pCert && *pCert ? **pCert : NULL;
+ #else


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-www mailing list