2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
10 #include "anyp/PortCfg.h"
13 #include "security/PeerOptions.h"
15 #include "ssl/support.h"
21 AnyP::PortCfgPointer HttpPortList
;
22 AnyP::PortCfgPointer FtpPortList
;
25 int HttpSockets
[MAXTCPLISTENPORTS
];
27 AnyP::PortCfg::PortCfg() :
30 transport(AnyP::PROTO_HTTP
,1,1), // "Squid is an HTTP proxy", etc.
38 connection_auth_disabled(false),
39 ftp_track_dirs(false),
41 disable_pmtu_discovery(0),
46 sslContextSessionId(NULL
),
47 generateHostCertificates(true),
48 dynamicCertMemCacheSize(4*1024*1024), // 4 MB
52 untrustedSigningCert(),
57 memset(&tcp_keepalive
, 0, sizeof(tcp_keepalive
));
60 AnyP::PortCfg::~PortCfg()
62 if (Comm::IsConnOpen(listenConn
)) {
68 safe_free(defaultsite
);
72 safe_free(sslContextSessionId
);
77 AnyP::PortCfg::clone() const
79 AnyP::PortCfgPointer b
= new AnyP::PortCfg();
82 b
->name
= xstrdup(name
);
84 b
->defaultsite
= xstrdup(defaultsite
);
86 b
->transport
= transport
;
88 b
->allow_direct
= allow_direct
;
91 b
->connection_auth_disabled
= connection_auth_disabled
;
92 b
->ftp_track_dirs
= ftp_track_dirs
;
93 b
->disable_pmtu_discovery
= disable_pmtu_discovery
;
94 b
->tcp_keepalive
= tcp_keepalive
;
99 b
->clientca
= xstrdup(clientca
);
100 if (sslContextSessionId
)
101 b
->sslContextSessionId
= xstrdup(sslContextSessionId
);
104 // TODO: AYJ: 2015-01-15: for now SSL does not clone the context object.
105 // cloning should only be done before the PortCfg is post-configure initialized and opened
106 Security::ContextPointer sslContext
;
116 AnyP::PortCfg::configureSslServerContext()
118 if (!secure
.certs
.empty()) {
119 Security::KeyData
&keys
= secure
.certs
.front();
120 Ssl::readCertChainAndPrivateKeyFromFiles(signingCert
, signPkey
, certsToChain
, keys
.certFile
.c_str(), keys
.privateKeyFile
.c_str());
125 fatalf("No valid signing SSL certificate configured for %s_port %s", AnyP::ProtocolType_str
[transport
.protocol
], s
.toUrl(buf
, sizeof(buf
)));
129 debugs(3, DBG_IMPORTANT
, "No SSL private key configured for " << AnyP::ProtocolType_str
[transport
.protocol
] << "_port " << s
);
131 Ssl::generateUntrustedCert(untrustedSigningCert
, untrustedSignPkey
,
132 signingCert
, signPkey
);
134 if (!untrustedSigningCert
) {
136 fatalf("Unable to generate signing SSL certificate for untrusted sites for %s_port %s", AnyP::ProtocolType_str
[transport
.protocol
], s
.toUrl(buf
, sizeof(buf
)));
140 clientCA
.reset(SSL_load_client_CA_file(clientca
));
141 if (clientCA
.get() == NULL
) {
142 fatalf("Unable to read client CAs! from %s", clientca
);
146 if (!secure
.createStaticServerContext(*this)) {
148 fatalf("%s_port %s initialization error", AnyP::ProtocolType_str
[transport
.protocol
], s
.toUrl(buf
, sizeof(buf
)));