Skip to content

Commit

Permalink
Do not lookup IP addresses of X509 certificate subject CNs (#1967)
Browse files Browse the repository at this point in the history 
A true-vs-false `nodns` parameter value bug in a recent commit 22b2a7a
caused, in some environments, significant startup delays and/or runtime
stalls because getaddrinfo(3) performed blocking DNS lookups when
parsing common names of X509 certificate subjects. Squid parses CNs when
loading configured and validating received certificates. Other side
effects may have included Squid-generated certificates having wrong
alternative subject names and/or wrong certificate validation results.

Negative names and context-disassociated boolean constants strike again!
Fortunately, associated problematic Ip::Address::lookupHostIP() will be
replaced when the existing Ip::Address::Parse() TODO is addressed.
  • Loading branch information
@rousskov @squid-anubis
rousskov authored and squid-anubis committed Dec 30, 2024
1 parent 16cafa1 commit d1db494
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/ip/Address.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ Ip::Address::Parse(const char * const raw)
{
Address tmp;
// TODO: Merge with lookupHostIP() after removing DNS lookups from Ip.
if (tmp.lookupHostIP(raw, false))
if (tmp.lookupHostIP(raw, true))
return tmp;
return std::nullopt;
}
Expand Down

0 comments on commit d1db494

Please sign in to comment.