Re: https_port without SSL context?

From: Amos Jeffries <squid3@dont-contact.us>
Date: Thu, 8 Nov 2007 14:04:28 +1300 (NZDT)

> On tis, 2007-11-06 at 13:28 -0700, Alex Rousskov wrote:
>
>> As you can see, a warning is printed but there are no consequences. That
>> is, Squid will still listen on the specified port although it probably
>> would not be able to do anything useful there without a valid SSL
>> context.
>
> it's meant to skip the setup of the https_port if the context could not
> be created.
>
> Looks like a slightly bad/partial forward-port .. In Squid-2 it reads
>
> if (!s->sslContext)
> continue;
>
>> Should Squid abort if https_port configuration results in a nil SSL
>> context? Should that abort happen when we try to create the context?
>
> Good question. Have been in both modes.
>
> Switched to soft warning mode to avoid aborting only because one is
> adding a new https_port and have trouble getting the certificates right.
> There is too many opportunities for error when setting up the
> certificates, and having the proxy abort completely on "-k reconfigure"
> due to a silly certificate error was not very nice..
>

IMHO it should be that kind of soft-fail-safe for all the modules. So the
ones that work will keep going on a production machine while the admin is
emergency debugging config on the one that won't. Then a simple
reconfigure can start it up.

Amos
Received on Wed Nov 07 2007 - 18:04:36 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:05 MST