2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
10 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
12 #include "base/YesNoNone.h"
13 #include "ConfigParser.h"
14 #include "security/KeyData.h"
21 /// TLS squid.conf settings for a remote server peer
25 PeerOptions() = default;
26 PeerOptions(const PeerOptions
&);
27 PeerOptions
&operator =(const PeerOptions
&);
28 virtual ~PeerOptions() {}
30 /// parse a TLS squid.conf option
31 virtual void parse(const char *);
33 /// reset the configuration details to default
34 virtual void clear() {*this = PeerOptions();}
36 /// generate an unset security context object
37 virtual Security::ContextPointer
createBlankContext() const;
39 /// generate a security client-context from these configured options
40 Security::ContextPointer
createClientContext(bool setOptions
);
42 /// sync the context options with tls-min-version=N configuration
43 void updateTlsVersionLimits();
45 /// setup the NPN extension details for the given context
46 void updateContextNpn(Security::ContextPointer
&);
48 /// setup the CA details for the given context
49 void updateContextCa(Security::ContextPointer
&);
51 /// setup the CRL details for the given context
52 void updateContextCrl(Security::ContextPointer
&);
54 /// setup any library-specific options that can be set for the given session
55 void updateSessionOptions(Security::SessionPointer
&);
57 /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
58 virtual void dumpCfg(Packable
*, const char *pfx
) const;
61 void parseOptions(Security::ParsedOptionsPointer
&); ///< parsed value of sslOptions
66 SBuf sslOptions
; ///< library-specific options string
67 SBuf caDir
; ///< path of directory containing a set of trusted Certificate Authorities
68 SBuf crlFile
; ///< path of file containing Certificate Revoke List
71 SBuf sslFlags
; ///< flags defining what TLS operations Squid performs
74 SBuf tlsMinVersion
; ///< version label for minimum TLS version to permit
76 Security::ParsedOptionsPointer parsedOptions
; ///< parsed value of sslOptions
77 long parsedFlags
= 0; ///< parsed value of sslFlags
79 std::list
<Security::KeyData
> certs
; ///< details from the cert= and file= config parameters
80 std::list
<SBuf
> caFiles
; ///< paths of files containing trusted Certificate Authority
81 Security::CertRevokeList parsedCrl
; ///< CRL to use when verifying the remote end certificate
86 /// flags governing Squid internal TLS operations
88 flags_() : tlsDefaultCa(true), tlsNpn(true) {}
90 /// whether to use the system default Trusted CA when verifying the remote end certificate
91 YesNoNone tlsDefaultCa
;
93 /// whether to use the TLS NPN extension on these connections
98 /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
99 bool encryptTransport
= false;
102 /// configuration options for DIRECT server access
103 extern PeerOptions ProxyOutgoingConfig
;
105 } // namespace Security
107 // parse the tls_outgoing_options directive
108 void parse_securePeerOptions(Security::PeerOptions
*);
109 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
110 #define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
112 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */