From c8a4365fddb3d413279bf12f746964b78f0a95f4 Mon Sep 17 00:00:00 2001
From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Thu, 19 Dec 2024 16:58:21 -0500
Subject: [PATCH] Do not lookup IP addresses of X509 certificate subject CNs

A true-vs-false `nodns` parameter value bug in a recent commit 22b2a7a0
caused, in some environments, significant startup delays and/or runtime
stalls because getaddrinfo(3) performed blocking DNS lookups when
parsing common names of X509 certificate subjects. Squid parses CNs when
loading configured and validating received certificates. Other side
effects may have included Squid-generated certificates having wrong
alternative subject names and/or wrong certificate validation results.

Negative names and context-disassociated boolean constants strike again!
Fortunately, associated problematic Ip::Address::lookupHostIP() will be
replaced when the existing Ip::Address::Parse() TODO is addressed.
---
 src/ip/Address.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ip/Address.cc b/src/ip/Address.cc
index 37570298e0f..298db47a4d0 100644
--- a/src/ip/Address.cc
+++ b/src/ip/Address.cc
@@ -45,7 +45,7 @@ Ip::Address::Parse(const char * const raw)
 {
     Address tmp;
     // TODO: Merge with lookupHostIP() after removing DNS lookups from Ip.
-    if (tmp.lookupHostIP(raw, false))
+    if (tmp.lookupHostIP(raw, true))
         return tmp;
     return std::nullopt;
 }