Reuse parent srvdst as dst of first child to avoid connecting to server twice, first conn was to get server cert for forging, so we xfer srvdst to first child after parent does not need it anymore

5 years ago · 3cbcffcebc
parent 78ba1e075c
commit 3cbcffcebc
24 changed files with 154 additions and 426 deletions
--- a/extra/testproxy/ca_testset_1.json
+++ b/extra/testproxy/ca_testset_1.json
@ -34,11 +34,6 @@
          }
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
--- a/extra/testproxy/ca_testset_2.json
+++ b/extra/testproxy/ca_testset_2.json
@ -35,11 +35,6 @@
          }
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
--- a/extra/testproxy/http_testset_1.json
+++ b/extra/testproxy/http_testset_1.json
@ -68,27 +68,21 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nSSLproxy: sslproxy\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": "",
-          "comment": "To obtain server crt, SSLproxy srvdst connects/disconnects to the server without sending any data, so we should have this as the second state in all tests"
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "6": {
+        "5": {
          "testend": "server",
          "cmd": "timeout",
          "payload": "",
@ -105,21 +99,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nSSLproxy: sslproxy\r\nSSLproxy: sslproxy\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -135,21 +124,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: Keep-Alive\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -165,21 +149,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nUpgrade: websocket\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -195,21 +174,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nKeep-Alive: keep-alive\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -225,21 +199,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nAccept-Encoding: encoding\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nAccept-Encoding: encoding\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -255,21 +224,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nVia: via\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -285,21 +249,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nX-Forwarded-For: x-forwarded-for\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -315,21 +274,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nReferer: referer\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
--- a/extra/testproxy/http_testset_2.json
+++ b/extra/testproxy/http_testset_2.json
@ -40,21 +40,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nPublic-Key-Pins: public-key-pins\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -70,21 +65,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nPublic-Key-Pins-Report-Only: public-key-pins-report-only\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -100,21 +90,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nStrict-Transport-Security: strict-transport-security\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -130,21 +115,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nExpect-CT: expect-ct\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -160,21 +140,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nAlternate-Protocol: alternate-protocol\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -190,21 +165,16 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "send",
          "payload": "HTTP/1.1 302 Found\r\nUpgrade: upgrade\r\nLocation: sslproxy\r\n\r\n"
        },
-        "5": {
+        "4": {
          "testend": "client",
          "cmd": "recv",
          "payload": "HTTP/1.1 302 Found\r\nLocation: sslproxy\r\n\r\n"
@ -221,11 +191,6 @@
          "comment": "It is easier to send a dummy POST ocsp request than a valid GET one"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "POST / HTTP/1.1\r\nHost: comixwall.org\r\nContent-Type: application/ocsp-request\r\nConnection: close\r\n\r\n"
--- a/extra/testproxy/http_testset_3.json
+++ b/extra/testproxy/http_testset_3.json
@ -41,16 +41,11 @@
          "comment": "It is easier to send a dummy POST ocsp request than a valid GET one"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "client",
          "cmd": "recv",
          "payload_file": "payload_ocsp_denied_response.bin"
        },
-        "4": {
+        "3": {
          "testend": "server",
          "cmd": "timeout",
          "payload": ""
@ -66,11 +61,6 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nAccept-Encoding: encoding\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
@ -86,11 +76,6 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nReferer: referer\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nReferer: referer\r\nConnection: close\r\n\r\n"
--- a/extra/testproxy/proto_validate_testset_1.json
+++ b/extra/testproxy/proto_validate_testset_1.json
@ -40,12 +40,6 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": "",
-          "comment": "To obtain server crt, SSLproxy srvdst connects/disconnects to the server without sending any data, so we should have this as the second state in all tests"
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
@ -63,13 +57,8 @@
        "2": {
          "testend": "server",
          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
-          "testend": "server",
-          "cmd": "timeout",
          "payload": "",
-          "comment": "SSLproxy should not validate method GE, so not connect to server"
+          "comment": "SSLproxy should not validate method GE, so should not send any data"
        }
      }
    },
@ -85,11 +74,6 @@
          "testend": "server",
          "cmd": "recv",
          "payload": ""
-        },
-        "3": {
-          "testend": "server",
-          "cmd": "timeout",
-          "payload": ""
        }
      }
    },
@ -105,11 +89,6 @@
          "testend": "server",
          "cmd": "recv",
          "payload": ""
-        },
-        "3": {
-          "testend": "server",
-          "cmd": "timeout",
-          "payload": ""
        }
      }
    }
--- a/extra/testproxy/proto_validate_testset_2.json
+++ b/extra/testproxy/proto_validate_testset_2.json
@ -40,11 +40,6 @@
          "payload": "POST / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "POST / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
@ -62,13 +57,8 @@
        "2": {
          "testend": "server",
          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
-          "testend": "server",
-          "cmd": "timeout",
          "payload": "",
-          "comment": "SSLproxy should not validate method POS, so not connect to server"
+          "comment": "SSLproxy should not validate method POS, so should not send any data"
        }
      }
    },
@ -84,11 +74,6 @@
          "testend": "server",
          "cmd": "recv",
          "payload": ""
-        },
-        "3": {
-          "testend": "server",
-          "cmd": "timeout",
-          "payload": ""
        }
      }
    },
@ -104,11 +89,6 @@
          "testend": "server",
          "cmd": "recv",
          "payload": ""
-        },
-        "3": {
-          "testend": "server",
-          "cmd": "timeout",
-          "payload": ""
        }
      }
    }
--- a/extra/testproxy/ssl_tcp_testends_testset_1.json
+++ b/extra/testproxy/ssl_tcp_testends_testset_1.json
@ -26,11 +26,6 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "timeout",
          "payload": ""
--- a/extra/testproxy/ssl_testset_1.json
+++ b/extra/testproxy/ssl_testset_1.json
@ -118,51 +118,6 @@
          }
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": "",
-          "assert": {
-            "current_cipher_name": {
-              "match": [
-                "ECDHE-[A-Z0-9]+-[A-Z0-9]+-[A-Z0-9]+-[A-Z0-9]+",
-                "[A-Z0-9]+-[A-Z0-9]+-AES256-[A-Z0-9]+-[A-Z0-9]+",
-                "[A-Z0-9]+-[A-Z0-9]+-[A-Z0-9]+-[A-Z0-9]+-SHA384"
-              ],
-              "!match": [
-                "^DHE-\\w+-\\w+-\\w+",
-                "\\w+-\\w+-SEED-\\w+",
-                "\\w+-\\w+-\\w+-SHA$"
-              ]
-            },
-            "current_cipher_version": {
-              "==": [
-                "TLSv1.2"
-              ],
-              "!match": [
-                "^(SSLv3|TLSv1|TLSv1\\.[13]?)$"
-              ]
-            },
-            "ssl_proto_version": {
-              "==": [
-                "TLSv1.2"
-              ],
-              "!match": [
-                "^(SSLv3|TLSv1|TLSv1\\.[13]?)$"
-              ]
-            },
-            "ssl_state": {
-              "==": [
-                "SSLOK "
-              ]
-            },
-            "sni_servername": {
-              "==": [
-                "comixwall.org"
-              ]
-            }
-          }
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n",
--- a/extra/testproxy/ssl_testset_2.json
+++ b/extra/testproxy/ssl_testset_2.json
@ -79,36 +79,6 @@
          }
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": "",
-          "assert": {
-            "current_cipher_version": {
-              "==": [
-                "TLSv1.0"
-              ],
-              "!match": [
-                "SSLv3",
-                "^TLSv1\\.[1-3]?$"
-              ]
-            },
-            "ssl_proto_version": {
-              "==": [
-                "TLSv1"
-              ],
-              "!match": [
-                "SSLv3",
-                "^TLSv1\\.[1-3]?$"
-              ]
-            },
-            "ssl_state": {
-              "==": [
-                "SSLOK "
-              ]
-            }
-          }
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n",
--- a/extra/testproxy/ssl_testset_3.json
+++ b/extra/testproxy/ssl_testset_3.json
@ -81,38 +81,6 @@
          }
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": "",
-          "assert": {
-            "current_cipher_version": {
-              "==": [
-                "TLSv1.0",
-                "TLSv1.1"
-              ],
-              "!match": [
-                "SSLv3",
-                "^TLSv1\\.[23]?$"
-              ]
-            },
-            "ssl_proto_version": {
-              "==": [
-                "TLSv1.0",
-                "TLSv1.1"
-              ],
-              "!match": [
-                "SSLv3",
-                "^TLSv1\\.[23]?$"
-              ]
-            },
-            "ssl_state": {
-              "==": [
-                "SSLOK "
-              ]
-            }
-          }
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n",
--- a/extra/testproxy/ssl_testset_4.json
+++ b/extra/testproxy/ssl_testset_4.json
@ -81,38 +81,6 @@
          }
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": "",
-          "assert": {
-            "current_cipher_version": {
-              "==": [
-                "TLSv1.2"
-              ],
-              "!match": [
-                "SSLv3",
-                "^TLSv1\\.[013]?$"
-              ]
-            },
-            "ssl_proto_version": {
-              "==": [
-                "TLSv1.2"
-              ],
-              "!=": [
-                "SSLv3"
-              ],
-              "!match": [
-                "^TLSv1\\.[013]?$"
-              ]
-            },
-            "ssl_state": {
-              "==": [
-                "SSLOK "
-              ]
-            }
-          }
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n",
--- a/extra/testproxy/sslproxy.conf
+++ b/extra/testproxy/sslproxy.conf
@ -31,7 +31,7 @@ StatsPeriod 1
 ConnIdleTimeout 120
 ExpiredConnCheckPeriod 10
 SSLShutdownRetryDelay 100
-#UserDBPath /var/db/users.db
+UserDBPath users.db

 # Default ProxySpec options (cloned to each proxyspec)
 CACert ca.crt
@ -246,3 +246,23 @@ ProxySpec {
 	CACert ca2.crt
 	CAKey ca2.key
 }
+
+# Tests for UserAuth
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8187
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9187
+	UserAuth yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8459
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9459
+	UserAuth yes
+}
--- a/extra/testproxy/testharness.json
+++ b/extra/testproxy/testharness.json
@ -35,7 +35,9 @@
        "2": "verifypeer_testset_1.json",
        "3": "verifypeer_testset_2.json",
        "4": "ca_testset_1.json",
-        "5": "ca_testset_2.json"
+        "5": "ca_testset_2.json",
+        "6": "userauth_testset_1.json",
+        "7": "userauth_testset_2.json"
      }
    }
  }
--- a/extra/testproxy/userauth_testset_1.json
+++ b/extra/testproxy/userauth_testset_1.json
@ -0,0 +1,36 @@
+{
+  "comment": "Tests for UserAuth with TCP",
+  "configs": {
+    "1": {
+      "proto": {
+        "proto": "tcp"
+      },
+      "client": {
+        "ip": "127.0.0.1",
+        "port": "8187"
+      },
+      "server": {
+        "ip": "127.0.0.1",
+        "port": "9187"
+      }
+    }
+  },
+  "tests": {
+    "1": {
+      "comment": "Rejects IP with user auth enabled",
+      "states": {
+        "1": {
+          "testend": "client",
+          "cmd": "send",
+          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n",
+          "comment": "SSLproxy rejects conn because it cannot find the ethernet address of the client"
+        },
+        "2": {
+          "testend": "server",
+          "cmd": "recv",
+          "payload": ""
+        }
+      }
+    }
+  }
+}
--- a/extra/testproxy/userauth_testset_2.json
+++ b/extra/testproxy/userauth_testset_2.json
@ -1,5 +1,5 @@
 {
-  "comment": "Tests for UserAuth",
+  "comment": "Tests for UserAuth with SSL",
  "configs": {
    "1": {
      "proto": {
@ -7,11 +7,11 @@
      },
      "client": {
        "ip": "127.0.0.1",
-        "port": "8458"
+        "port": "8459"
      },
      "server": {
        "ip": "127.0.0.1",
-        "port": "9458",
+        "port": "9459",
        "crt": "server.crt",
        "key": "server.key"
      }
@ -23,8 +23,9 @@
      "states": {
        "1": {
          "testend": "client",
-          "cmd": "send",
-          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
+          "cmd": "sslconnectfail",
+          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n",
+          "comment": "SSLproxy rejects conn because it cannot find the ethernet address of the client"
        },
        "2": {
          "testend": "server",
--- a/extra/testproxy/users.db
+++ b/extra/testproxy/users.db
--- a/extra/testproxy/verifypeer_testset_1.json
+++ b/extra/testproxy/verifypeer_testset_1.json
@ -27,11 +27,6 @@
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\n\r\n"
        },
        "2": {
-          "testend": "server",
-          "cmd": "recv",
-          "payload": ""
-        },
-        "3": {
          "testend": "server",
          "cmd": "recv",
          "payload": "GET / HTTP/1.1\r\nHost: comixwall.org\r\nConnection: close\r\n\r\n"
--- a/protoautossl.c
+++ b/protoautossl.c
@ -298,28 +298,6 @@ protoautossl_bev_eventcb_connected_src(UNUSED struct bufferevent *bev, UNUSED px
 #endif /* DEBUG_PROXY */
 }

-static void NONNULL(1)
-protoautossl_close_srvdst(pxy_conn_ctx_t *ctx)
-{
-#ifdef DEBUG_PROXY
-	log_dbg_level_printf(LOG_DBG_MODE_FINER, "protoautossl_close_srvdst: Closing srvdst, srvdst fd=%d, fd=%d\n", bufferevent_getfd(ctx->srvdst.bev), ctx->fd);
-#endif /* DEBUG_PROXY */
-
-	// @attention Free the srvdst of the conn asap, we don't need it anymore, but we need its fd
-	// So save its ssl info for logging
-	// @todo Do we always have srvdst.ssl or not? Can we use ssl or tcp versions of this function?
-	if (ctx->srvdst.ssl) {
-		ctx->sslctx->srvdst_ssl_version = strdup(SSL_get_version(ctx->srvdst.ssl));
-		ctx->sslctx->srvdst_ssl_cipher = strdup(SSL_get_cipher(ctx->srvdst.ssl));
-	}
-
-	// @attention When both eventcb and writecb for srvdst are enabled, either eventcb or writecb may get a NULL srvdst bev, causing a crash with signal 10.
-	// So, from this point on, we should check if srvdst is NULL or not.
-	ctx->srvdst.free(ctx->srvdst.bev, ctx);
-	ctx->srvdst.bev = NULL;
-	ctx->srvdst.closed = 1;
-}
-
 static int NONNULL(1)
 protoautossl_enable_src(pxy_conn_ctx_t *ctx)
 {
@ -352,9 +330,10 @@ protoautossl_enable_src(pxy_conn_ctx_t *ctx)
 	}
 	bufferevent_setcb(ctx->src.bev, pxy_bev_readcb, pxy_bev_writecb, pxy_bev_eventcb, ctx);

-	// srvdst is not needed after clienthello search is over
-	if (ctx->srvdst.bev && !autossl_ctx->clienthello_search) {
-		protoautossl_close_srvdst(ctx);
+	// srvdst is xferred to the first child conn, so save the srvdst ssl info for logging
+	if (ctx->srvdst.bev && !autossl_ctx->clienthello_search && ctx->srvdst.ssl) {
+		ctx->sslctx->srvdst_ssl_version = strdup(SSL_get_version(ctx->srvdst.ssl));
+		ctx->sslctx->srvdst_ssl_cipher = strdup(SSL_get_cipher(ctx->srvdst.ssl));
 	}

 	// Skip child listener setup if completing autossl upgrade, after finding clienthello
--- a/protohttp.c
+++ b/protohttp.c
@ -134,8 +134,8 @@ protohttp_log_connect(pxy_conn_ctx_t *ctx)
 		              STRORDASH(ctx->sslctx->ssl_names),
 		              SSL_get_version(ctx->src.ssl),
 		              SSL_get_cipher(ctx->src.ssl),
-		              !ctx->srvdst.closed ? SSL_get_version(ctx->srvdst.ssl):ctx->sslctx->srvdst_ssl_version,
-		              !ctx->srvdst.closed ? SSL_get_cipher(ctx->srvdst.ssl):ctx->sslctx->srvdst_ssl_cipher,
+		              STRORDASH(ctx->sslctx->srvdst_ssl_version),
+		              STRORDASH(ctx->sslctx->srvdst_ssl_cipher),
 		              STRORDASH(ctx->sslctx->origcrtfpr),
 		              STRORDASH(ctx->sslctx->usedcrtfpr),
 #ifdef HAVE_LOCAL_PROCINFO
--- a/protossl.c
+++ b/protossl.c
@ -1320,19 +1320,27 @@ protossl_setup_dst_ssl_child(pxy_conn_child_ctx_t *ctx)
 int
 protossl_setup_dst_child(pxy_conn_child_ctx_t *ctx)
 {
-	if (protossl_setup_dst_ssl_child(ctx) == -1) {
-		return -1;
-	}
+	if (!ctx->conn->srvdst_xferred) {
+		// Reuse srvdst of parent in the first child conn
+		ctx->conn->srvdst_xferred = 1;
+		ctx->dst = ctx->conn->srvdst;
+		bufferevent_setcb(ctx->dst.bev, pxy_bev_readcb_child, pxy_bev_writecb_child, pxy_bev_eventcb_child, ctx);
+		ctx->protoctx->bev_eventcb(ctx->dst.bev, BEV_EVENT_CONNECTED, ctx);
+	} else {
+		if (protossl_setup_dst_ssl_child(ctx) == -1) {
+			return -1;
+		}

-	ctx->dst.bev = protossl_bufferevent_setup_child(ctx, -1, ctx->dst.ssl);
-	if (!ctx->dst.bev) {
-		log_err_level_printf(LOG_CRIT, "Error creating dst bufferevent\n");
-		SSL_free(ctx->dst.ssl);
-		ctx->dst.ssl = NULL;
-		pxy_conn_term(ctx->conn, 1);
-		return -1;
+		ctx->dst.bev = protossl_bufferevent_setup_child(ctx, -1, ctx->dst.ssl);
+		if (!ctx->dst.bev) {
+			log_err_level_printf(LOG_CRIT, "Error creating dst bufferevent\n");
+			SSL_free(ctx->dst.ssl);
+			ctx->dst.ssl = NULL;
+			pxy_conn_term(ctx->conn, 1);
+			return -1;
+		}
+		ctx->dst.free = protossl_bufferevent_free_and_close_fd;
 	}
-	ctx->dst.free = protossl_bufferevent_free_and_close_fd;
 	return 0;
 }

@ -1417,25 +1425,6 @@ protossl_setup_dst_new_bev_ssl_connecting_child(pxy_conn_child_ctx_t *ctx)
 	return 0;
 }

-static void NONNULL(1)
-protossl_close_srvdst(pxy_conn_ctx_t *ctx)
-{
-#ifdef DEBUG_PROXY
-	log_dbg_level_printf(LOG_DBG_MODE_FINER, "protossl_close_srvdst: Closing srvdst, srvdst fd=%d, fd=%d\n", bufferevent_getfd(ctx->srvdst.bev), ctx->fd);
-#endif /* DEBUG_PROXY */
-
-	// @attention Free the srvdst of the conn asap, we don't need it anymore, but we need its fd
-	// So save its ssl info for logging
-	ctx->sslctx->srvdst_ssl_version = strdup(SSL_get_version(ctx->srvdst.ssl));
-	ctx->sslctx->srvdst_ssl_cipher = strdup(SSL_get_cipher(ctx->srvdst.ssl));
-
-	// @attention When both eventcb and writecb for srvdst are enabled, either eventcb or writecb may get a NULL srvdst bev, causing a crash with signal 10.
-	// So, from this point on, we should check if srvdst is NULL or not.
-	ctx->srvdst.free(ctx->srvdst.bev, ctx);
-	ctx->srvdst.bev = NULL;
-	ctx->srvdst.closed = 1;
-}
-
 static int NONNULL(1)
 protossl_enable_src(pxy_conn_ctx_t *ctx)
 {
@ -1446,7 +1435,9 @@ protossl_enable_src(pxy_conn_ctx_t *ctx)
 	}
 	bufferevent_setcb(ctx->src.bev, pxy_bev_readcb, pxy_bev_writecb, pxy_bev_eventcb, ctx);

-	protossl_close_srvdst(ctx);
+	// Save the srvdst ssl info for logging
+	ctx->sslctx->srvdst_ssl_version = strdup(SSL_get_version(ctx->srvdst.ssl));
+	ctx->sslctx->srvdst_ssl_cipher = strdup(SSL_get_cipher(ctx->srvdst.ssl));

 	if (pxy_setup_child_listener(ctx) == -1) {
 		return -1;
--- a/prototcp.c
+++ b/prototcp.c
@ -208,14 +208,22 @@ prototcp_setup_src_child(pxy_conn_child_ctx_t *ctx)
 int
 prototcp_setup_dst_child(pxy_conn_child_ctx_t *ctx)
 {
-	ctx->dst.ssl = NULL;
-	ctx->dst.bev = prototcp_bufferevent_setup_child(ctx, -1);
-	if (!ctx->dst.bev) {
-		log_err_level_printf(LOG_CRIT, "Error creating bufferevent\n");
-		pxy_conn_term(ctx->conn, 1);
-		return -1;
+	if (!ctx->conn->srvdst_xferred) {
+		// Reuse srvdst of parent in the first child conn
+		ctx->conn->srvdst_xferred = 1;
+		ctx->dst = ctx->conn->srvdst;
+		bufferevent_setcb(ctx->dst.bev, pxy_bev_readcb_child, pxy_bev_writecb_child, pxy_bev_eventcb_child, ctx);
+		ctx->protoctx->bev_eventcb(ctx->dst.bev, BEV_EVENT_CONNECTED, ctx);
+	} else {
+		ctx->dst.ssl = NULL;
+		ctx->dst.bev = prototcp_bufferevent_setup_child(ctx, -1);
+		if (!ctx->dst.bev) {
+			log_err_level_printf(LOG_CRIT, "Error creating bufferevent\n");
+			pxy_conn_term(ctx->conn, 1);
+			return -1;
+		}
+		ctx->dst.free = prototcp_bufferevent_free_and_close_fd;
 	}
-	ctx->dst.free = prototcp_bufferevent_free_and_close_fd;
 	return 0;
 }

@ -612,21 +620,6 @@ prototcp_bev_writecb_dst_child(struct bufferevent *bev, pxy_conn_child_ctx_t *ct
 	pxy_try_unset_watermark(bev, ctx->conn, &ctx->src);
 }

-static void NONNULL(1)
-prototcp_close_srvdst(pxy_conn_ctx_t *ctx)
-{
-#ifdef DEBUG_PROXY
-	log_dbg_level_printf(LOG_DBG_MODE_FINER, "prototcp_close_srvdst: Closing srvdst, srvdst fd=%d, fd=%d\n", bufferevent_getfd(ctx->srvdst.bev), ctx->fd);
-#endif /* DEBUG_PROXY */
-
-	// @attention Free the srvdst of the conn asap, we don't need it anymore, but we need its fd
-	// @attention When both eventcb and writecb for srvdst are enabled, either eventcb or writecb may get a NULL srvdst bev, causing a crash with signal 10.
-	// So, from this point on, we should check if srvdst is NULL or not.
-	ctx->srvdst.free(ctx->srvdst.bev, ctx);
-	ctx->srvdst.bev = NULL;
-	ctx->srvdst.closed = 1;
-}
-
 static int NONNULL(1)
 prototcp_enable_src(pxy_conn_ctx_t *ctx)
 {
@ -635,8 +628,6 @@ prototcp_enable_src(pxy_conn_ctx_t *ctx)
 	}
 	bufferevent_setcb(ctx->src.bev, pxy_bev_readcb, pxy_bev_writecb, pxy_bev_eventcb, ctx);

-	prototcp_close_srvdst(ctx);
-
 	if (pxy_setup_child_listener(ctx) == -1) {
 		return -1;
 	}
--- a/pxyconn.c
+++ b/pxyconn.c
@ -491,7 +491,8 @@ pxy_conn_free(pxy_conn_ctx_t *ctx, int by_requestor)
 		evutil_closesocket(ctx->fd);
 	}

-	if (ctx->srvdst.bev) {
+	// If srvdst has been xferred to the first child conn, the child should free it, not the parent
+	if (!ctx->srvdst_xferred && ctx->srvdst.bev) {
 		ctx->srvdst.free(ctx->srvdst.bev, ctx);
 		ctx->srvdst.bev = NULL;
 	}
@ -580,8 +581,8 @@ pxy_log_connect_nonhttp(pxy_conn_ctx_t *ctx)
 		              STRORDASH(ctx->sslctx->ssl_names),
 		              SSL_get_version(ctx->src.ssl),
 		              SSL_get_cipher(ctx->src.ssl),
-		              !ctx->srvdst.closed && ctx->srvdst.ssl ? SSL_get_version(ctx->srvdst.ssl):ctx->sslctx->srvdst_ssl_version,
-		              !ctx->srvdst.closed && ctx->srvdst.ssl ? SSL_get_cipher(ctx->srvdst.ssl):ctx->sslctx->srvdst_ssl_cipher,
+		              STRORDASH(ctx->sslctx->srvdst_ssl_version),
+		              STRORDASH(ctx->sslctx->srvdst_ssl_cipher),
 		              STRORDASH(ctx->sslctx->origcrtfpr),
 		              STRORDASH(ctx->sslctx->usedcrtfpr),
 #ifdef HAVE_LOCAL_PROCINFO
@ -1148,10 +1149,12 @@ pxy_listener_acceptcb_child(UNUSED struct evconnlistener *listener, evutil_socke
 		}
 	}

-	/* initiate connection */
-	if (bufferevent_socket_connect(ctx->dst.bev, (struct sockaddr *)&ctx->conn->dstaddr, ctx->conn->dstaddrlen) == -1) {
-		pxy_conn_term(conn, 1);
-		goto out;
+	/* initiate connection, except for the first child conn which uses the parent's srvdst as dst */
+	if (ctx->dst.bev != ctx->conn->srvdst.bev) {
+		if (bufferevent_socket_connect(ctx->dst.bev, (struct sockaddr *)&ctx->conn->dstaddr, ctx->conn->dstaddrlen) == -1) {
+			pxy_conn_term(conn, 1);
+			goto out;
+		}
 	}
 	
 	ctx->dst_fd = bufferevent_getfd(ctx->dst.bev);
--- a/pxyconn.h
+++ b/pxyconn.h
@ -229,6 +229,7 @@ struct pxy_conn_ctx {
 	unsigned int term : 1;                     /* 0 until term requested */
 	unsigned int term_requestor : 1;          /* 1 client, 0 server side */

+	unsigned int srvdst_xferred : 1;     /* 1 if srvdst xferred to child */
 	struct pxy_conn_desc srvdst;

 	struct event *ev;