Skip to content

Set SSL_OP_LEGACY_SERVER_CONNECT when peeking at servers (#2354) #2355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kinkie merged 1 commit into from
Jan 17, 2026
+18 −0
Merged

Set SSL_OP_LEGACY_SERVER_CONNECT when peeking at servers (#2354) #2355

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CONTRIBUTORS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -440,6 +440,7 @@ Thank you!
Reinhard Sojka <reinhard.sojka@parlament.gv.at>
Rene Geile <rene.geile@t-online.de>
Reuben Farrelly <reuben@reub.net>
Ricardo Ferreira Ribeiro <garb12@pm.me>
Richard Huveneers <Richard.Huveneers@hekkihek.hacom.nl>
Richard Huveneers <richard@hekkihek.hacom.nl>
Richard Sharpe
Expand Down
17 changes: 17 additions & 0 deletions src/ssl/PeekingPeerConnector.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
#include "security/ErrorDetail.h"
#include "security/NegotiationHistory.h"
#include "SquidConfig.h"
#include "src/base/IoManip.h"
#include "ssl/bio.h"
#include "ssl/PeekingPeerConnector.h"
#include "ssl/ServerBump.h"
Expand Down Expand Up @@ -196,6 +197,22 @@ Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession)
srvBio->setClientFeatures(details, cltBio->rBufData());
srvBio->recordInput(true);
srvBio->mode(csd->sslBumpMode);

#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
// While peeking, Squid is not generating any TLS bytes, but we are
// still being driven by OpenSSL negotiation logic. We enable as
// many features and workarounds as possible to reduce cases where
// OpenSSL refuses to accept a valid TLS server response. This code
// assumes that an admin should not expect a peeking Squid to
// automatically enforce a particular set of TLS conditions (e.g.,
// "no legacy TLS servers"). When that assumption is invalidated, we
// will need to add a configuration directive to set peeking TLS
// options.
if (csd->sslBumpMode == Ssl::bumpPeek && SSL_OP_LEGACY_SERVER_CONNECT) {
const auto adjustedOptions = SSL_set_options(serverSession.get(), SSL_OP_LEGACY_SERVER_CONNECT);
debugs(83, 5, "post-SSL_OP_LEGACY_SERVER_CONNECT options for session=" << serverSession << ": " << asHex(adjustedOptions));
}
#endif
} else {
const bool redirected = request->flags.redirected && ::Config.onoff.redir_rewrites_host;
const char *sniServer = (!hostName || redirected) ?
Expand Down
Loading