Expand %x and %D after bumped SQUID_X509_V_ERR_DOMAIN_MISMATCH#2373
Closed
somecookie wants to merge 4 commits intosquid-cache:masterfrom
Closed
Expand %x and %D after bumped SQUID_X509_V_ERR_DOMAIN_MISMATCH#2373somecookie wants to merge 4 commits intosquid-cache:masterfrom
somecookie wants to merge 4 commits intosquid-cache:masterfrom
Conversation
Squid detects SQUID_X509_V_ERR_DOMAIN_MISMATCH errors on various processing stages, including when receiving an HTTP request on a successfully bumped TLS connection. If that request targets a domain not covered by the server certificate, and sslproxy_cert_error prohibits a mismatch (it does by default), then Squid terminates the transaction with an ERR_SECURE_CONNECT_FAIL response. That generated error response body lacked %x and %D error details: ```diff The system returned: - [No Error] (TLS code: [Unknown Error Code]) + [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) - [No Error Detail] + Certificate does not match domainname: /L=.../O=.../CN=a.test ``` The first `[No Error]` expansion of %E remains unchanged because this particular error does not set `errno`. ConnStateData::serveDelayedError() changes fix the above problem but %x expansion in error pages and %err_detail in access log get a misleading `+broken_cert` detail. To address that flaw, we changed the default for broken certificate in Security::ErrorDetail constructor API from peer certificate to nil. When broken certificate is nil, ErrorDetail now uses valid certificate to expand %ssl_cn and similar certificate-inspecting error page %codes. All Security::ErrorDetail creators were checked and adjusted if needed: * ConnStateData::serveDelayedError(): No caller changes. Using the new ErrorDetail creation API fixes this code by supplying nil broken certificate (because the certificate is _valid_ in this context). * ssl_verify_cb(): No caller changes. We already use peer certificate as the default broken certificate because doing so is "reasonable" here. * Security::PeerConnector::sslCrtvdCheckForErrors(): Adjusted to keep the original "if there was no error_cert_ID, then use peerCert" behavior while using new Security::ErrorDetail creation API. Thus, the last two contexts are not affected by this error reporting API change. The exceptional serveDelayedError() caller is affected, but Squid did not report any certificate detail in that case until this branch fixes, so this branch does not change one "reporting certificate" to another; it only starts reporting (important) information when none was available before. ---- Squash-merged (fast-forward eligible) SQUID-1088-bumped-domain-mismatch-details-bag64a as of commit 7a3c87b.
This reverts commit 76a3d4a.
rousskov
approved these changes
Feb 10, 2026
Contributor
rousskov
left a comment
rousskov
left a comment
There was a problem hiding this comment.
The earlier variation of these changes was tested in production. This master-based variation was lab-tested.
rousskov
added
M-cleared-for-merge
squid-anubis
pushed a commit
that referenced
this pull request
Feb 12, 2026
Squid detects SQUID_X509_V_ERR_DOMAIN_MISMATCH errors during various processing stages, including when receiving an HTTP request on a successfully bumped TLS connection. If that request targets a domain not covered by the server certificate, and sslproxy_cert_error prohibits a mismatch (it does by default), then Squid terminates the transaction with an ERR_SECURE_CONNECT_FAIL response. That generated error response body lacked %x and %D error details: ```diff The system returned: - [No Error] (TLS code: [Unknown Error Code]) + [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) - [No Error Detail] + Certificate does not match domainname: /L=.../O=.../CN=example.com ``` The first `[No Error]` expansion of %E remains unchanged because this particular error does not set `errno`. ConnStateData::serveDelayedError() changes fix the above problem but %x expansion in error pages and %err_detail in access log get a misleading `+broken_cert` detail. To address that flaw, we changed the default for broken certificate in Security::ErrorDetail constructor API from peer certificate to nil. When broken certificate is nil, ErrorDetail now uses valid certificate to expand %ssl_cn and similar certificate-inspecting error page %codes. All Security::ErrorDetail creators were checked and adjusted if needed: * ConnStateData::serveDelayedError(): No caller changes. Using the new ErrorDetail creation API fixes this code by supplying nil broken certificate (because the certificate is _valid_ in this context). * ssl_verify_cb(): No caller changes. We already use peer certificate as the default broken certificate because doing so is "reasonable" here. * Security::PeerConnector::sslCrtvdCheckForErrors(): Adjusted to keep the original "if there was no error_cert_ID, then use peerCert" behavior while using new Security::ErrorDetail creation API. Thus, the last two contexts are not affected by this error reporting API change. The exceptional serveDelayedError() caller is affected, but Squid did not report any certificate detail in that case until this branch fixes, so this branch does not change one "reporting certificate" to another; it only starts reporting (important) information when none was available before. This is a Measurement Factory project.
squid-anubis
added
the
M-waiting-staging-checks
squid-anubis
added
M-merged
rousskov
removed
the
S-could-use-an-approval
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Squid detects SQUID_X509_V_ERR_DOMAIN_MISMATCH errors during various
processing stages, including when receiving an HTTP request on a
successfully bumped TLS connection. If that request targets a domain not
covered by the server certificate, and sslproxy_cert_error prohibits a
mismatch (it does by default), then Squid terminates the transaction
with an ERR_SECURE_CONNECT_FAIL response. That generated error response
body lacked %x and %D error details:
The first
[No Error]expansion of %E remains unchanged because thisparticular error does not set
errno.ConnStateData::serveDelayedError() changes fix the above problem but %x
expansion in error pages and %err_detail in access log get a misleading
+broken_certdetail. To address that flaw, we changed the default forbroken certificate in Security::ErrorDetail constructor API from peer
certificate to nil. When broken certificate is nil, ErrorDetail now uses
valid certificate to expand %ssl_cn and similar certificate-inspecting
error page %codes.
All Security::ErrorDetail creators were checked and adjusted if needed:
ConnStateData::serveDelayedError(): No caller changes. Using the new
ErrorDetail creation API fixes this code by supplying nil broken
certificate (because the certificate is valid in this context).
ssl_verify_cb(): No caller changes. We already use peer certificate as
the default broken certificate because doing so is "reasonable" here.
Security::PeerConnector::sslCrtvdCheckForErrors(): Adjusted to keep
the original "if there was no error_cert_ID, then use peerCert"
behavior while using new Security::ErrorDetail creation API.
Thus, the last two contexts are not affected by this error reporting API
change. The exceptional serveDelayedError() caller is affected, but
Squid did not report any certificate detail in that case until this
branch fixes, so this branch does not change one "reporting certificate"
to another; it only starts reporting (important) information when none
was available before.
This is a Measurement Factory project.