/*
- * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
#define SQUID_SRC_SECURITY_PEEROPTIONS_H
+#include "base/YesNoNone.h"
#include "ConfigParser.h"
-#include "SBuf.h"
-#include "security/forward.h"
+#include "security/KeyData.h"
class Packable;
public:
PeerOptions() : parsedOptions(0), parsedFlags(0), sslVersion(0), encryptTransport(false) {}
PeerOptions(const PeerOptions &);
+ virtual ~PeerOptions() = default;
/// parse a TLS squid.conf option
- void parse(const char *);
+ virtual void parse(const char *);
/// reset the configuration details to default
- void clear() {*this = PeerOptions();}
+ virtual void clear() {*this = PeerOptions();}
+
+ /// generate an unset security context object
+ virtual Security::ContextPointer createBlankContext() const;
/// generate a security client-context from these configured options
Security::ContextPointer createClientContext(bool setOptions);
/// sync the context options with tls-min-version=N configuration
void updateTlsVersionLimits();
+ /// setup the NPN extension details for the given context
+ void updateContextNpn(Security::ContextPointer &);
+
+ /// setup the CA details for the given context
+ void updateContextCa(Security::ContextPointer &);
+
+ /// setup the CRL details for the given context
+ void updateContextCrl(Security::ContextPointer &);
+
/// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
- void dumpCfg(Packable *, const char *pfx) const;
+ virtual void dumpCfg(Packable *, const char *pfx) const;
private:
long parseOptions();
long parseFlags();
+ void loadCrlFile();
public:
- SBuf certFile; ///< path of file containing PEM format X509 certificate
- SBuf privateKeyFile; ///< path of file containing private key in PEM format
SBuf sslOptions; ///< library-specific options string
- SBuf caFile; ///< path of file containing trusted Certificate Authority
SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities
SBuf crlFile; ///< path of file containing Certificate Revoke List
long parsedOptions; ///< parsed value of sslOptions
long parsedFlags; ///< parsed value of sslFlags
-private:
+ std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
+ std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority
+ Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
+
+protected:
int sslVersion;
+ /// flags governing Squid internal TLS operations
+ struct flags_ {
+ flags_() : tlsDefaultCa(true), tlsNpn(true) {}
+
+ /// whether to use the system default Trusted CA when verifying the remote end certificate
+ YesNoNone tlsDefaultCa;
+
+ /// whether to use the TLS NPN extension on these connections
+ bool tlsNpn;
+ } flags;
+
public:
/// whether transport encryption (TLS/SSL) is to be used on connections to the peer
bool encryptTransport;