Re: [PATCH] Handle infinite OpenSSL validation loops

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 27 Jul 2013 00:49:40 +1200

On 26/07/2013 10:20 p.m., Tsantilas Christos wrote:
> This patch try to detect infinite OpenSSL validation loops.
>
> If OpenSSL is stuck in a validation loop, Squid breaks the loop and
> triggers a new custom SQUID_X509_V_ERR_INFINITE_VALIDATION SSL
> validation error.
> That error cannot be bypassed using sslproxy_cert_error because to break
> the loop Squid has to tell OpenSSL that the certificate is invalid,
> which terminates the SSL connection.
>
> The cause for this patch is the following bug in Openssl (but maybe in
> future other similar problems found):
> http://rt.openssl.org/Ticket/Display.html?id=3090 (login with guest/guest)
>
> This is a Measurement Factory project

Please make the validation counter a fixed-size (uint16/32/64_t) and add
a note where SQUID_CERT_VALIDATION_ITERATION_MAX is defined about what
the absolute upper MAX limit that can be defined for the loop is.

+1. Otherwise fine as far as I can tell. Although I'm not aware enough
about OpenSSL API to fully judge.
Amos
Received on Fri Jul 26 2013 - 12:49:46 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 26 2013 - 12:01:00 MDT