2 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H
10 #define SQUID_SRC_SECURITY_SERVEROPTIONS_H
12 #include "anyp/forward.h"
13 #include "security/PeerOptions.h"
18 /// TLS squid.conf settings for a listening port
19 class ServerOptions
: public PeerOptions
23 sk_dtor_wrapper(sk_X509_NAME
, STACK_OF(X509_NAME
) *, X509_NAME_free
);
24 typedef std::unique_ptr
<STACK_OF(X509_NAME
), Security::ServerOptions::sk_X509_NAME_free_wrapper
> X509_NAME_STACK_Pointer
;
27 ServerOptions() : PeerOptions() {
28 // Bug 4005: dynamic contexts use a lot of memory and it
29 // is more secure to have only a small set of trusted CA.
30 flags
.tlsDefaultCa
.defaultTo(false);
32 ServerOptions(const ServerOptions
&) = default;
33 ServerOptions
&operator =(const ServerOptions
&);
34 ServerOptions(ServerOptions
&&o
) { this->operator =(o
); }
35 ServerOptions
&operator =(ServerOptions
&&o
) { this->operator =(o
); return *this; }
36 virtual ~ServerOptions() = default;
38 /* Security::PeerOptions API */
39 virtual void parse(const char *);
40 virtual void clear() {*this = ServerOptions();}
41 virtual Security::ContextPointer
createBlankContext() const;
42 virtual void dumpCfg(Packable
*, const char *pfx
) const;
44 /// initialize all server contexts as-needed
45 void initServerContexts(AnyP::PortCfg
&);
47 /// update the given TLS security context using squid.conf settings
48 bool updateContextConfig(Security::ContextPointer
&);
50 /// update the context with DH, EDH, EECDH settings
51 void updateContextEecdh(Security::ContextPointer
&);
53 /// update the context with CA details used to verify client certificates
54 void updateContextClientCa(Security::ContextPointer
&);
56 /// update the context with a configured session ID (if any)
57 void updateContextSessionId(Security::ContextPointer
&);
59 /// sync the various sources of CA files to be loaded
63 /// TLS context to use for HTTPS accelerator or static SSL-Bump
64 Security::ContextPointer staticContext
;
65 SBuf staticContextSessionId
; ///< "session id context" for staticContext
68 bool generateHostCertificates
= true; ///< dynamically make host cert
70 // TODO: GnuTLS does implement TLS server connections so the cert
71 // generate vs static choice can be reached in the code now.
72 // But this feature is not fully working implemented so must not
73 // be enabled by default for production installations.
74 bool generateHostCertificates
= false; ///< dynamically make host cert
76 // same as OpenSSL so config errors show up easily
77 bool generateHostCertificates
= true; ///< dynamically make host cert
80 Security::KeyData signingCa
; ///< x509 certificate and key for signing generated certificates
81 Security::KeyData untrustedSigningCa
; ///< x509 certificate and key for signing untrusted generated certificates
83 /// max size of generated certificates memory cache (4 MB default)
84 size_t dynamicCertMemCacheSize
= 4*1024*1024;
87 bool loadClientCaFile();
90 /// generate a security server-context from these configured options
91 /// the resulting context is stored in staticContext
92 /// \returns true if a context could be created
93 bool createStaticServerContext(AnyP::PortCfg
&);
95 /// initialize contexts for signing dynamic TLS certificates (if needed)
96 /// the resulting keys are stored in signingCa and untrustedSigningCa
97 void createSigningContexts(const AnyP::PortCfg
&);
100 SBuf clientCaFile
; ///< name of file to load client CAs from
102 /// CA certificate(s) to use when verifying client certificates
103 X509_NAME_STACK_Pointer clientCaStack
;
105 void *clientCaStack
= nullptr;
108 SBuf dh
; ///< Diffi-Helman cipher config
109 SBuf dhParamsFile
; ///< Diffi-Helman ciphers parameter file
110 SBuf eecdhCurve
; ///< Elliptic curve for ephemeral EC-based DH key exchanges
112 Security::DhePointer parsedDhParams
; ///< DH parameters for temporary/ephemeral DH key exchanges
115 } // namespace Security
117 #endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */