2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
10 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
12 #include "base/YesNoNone.h"
13 #include "ConfigParser.h"
14 #include "security/KeyData.h"
21 /// TLS squid.conf settings for a remote server peer
25 PeerOptions() : parsedOptions(0), parsedFlags(0), sslVersion(0), encryptTransport(false) {}
26 PeerOptions(const PeerOptions
&);
27 virtual ~PeerOptions() = default;
29 /// parse a TLS squid.conf option
30 virtual void parse(const char *);
32 /// reset the configuration details to default
33 virtual void clear() {*this = PeerOptions();}
35 /// generate an unset security context object
36 virtual Security::ContextPtr
createBlankContext() const;
38 /// generate a security client-context from these configured options
39 Security::ContextPtr
createClientContext(bool setOptions
);
41 /// sync the context options with tls-min-version=N configuration
42 void updateTlsVersionLimits();
44 /// setup the NPN extension details for the given context
45 void updateContextNpn(Security::ContextPtr
&);
47 /// setup the CA details for the given context
48 void updateContextCa(Security::ContextPtr
&);
50 /// setup the CRL details for the given context
51 void updateContextCrl(Security::ContextPtr
&);
53 /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
54 virtual void dumpCfg(Packable
*, const char *pfx
) const;
62 SBuf sslOptions
; ///< library-specific options string
63 SBuf caDir
; ///< path of directory containing a set of trusted Certificate Authorities
64 SBuf crlFile
; ///< path of file containing Certificate Revoke List
67 SBuf sslFlags
; ///< flags defining what TLS operations Squid performs
70 SBuf tlsMinVersion
; ///< version label for minimum TLS version to permit
72 long parsedOptions
; ///< parsed value of sslOptions
73 long parsedFlags
; ///< parsed value of sslFlags
75 std::list
<Security::KeyData
> certs
; ///< details from the cert= and file= config parameters
76 std::list
<SBuf
> caFiles
; ///< paths of files containing trusted Certificate Authority
77 Security::CertRevokeList parsedCrl
; ///< CRL to use when verifying the remote end certificate
82 /// flags governing Squid internal TLS operations
84 flags_() : tlsDefaultCa(true), tlsNpn(true) {}
86 /// whether to use the system default Trusted CA when verifying the remote end certificate
87 YesNoNone tlsDefaultCa
;
89 /// whether to use the TLS NPN extension on these connections
94 /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
95 bool encryptTransport
;
98 /// configuration options for DIRECT server access
99 extern PeerOptions ProxyOutgoingConfig
;
101 } // namespace Security
103 // parse the tls_outgoing_options directive
104 void parse_securePeerOptions(Security::PeerOptions
*);
105 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
106 #define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
108 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */