of queued requests.
<tag>cache_peer</tag>
- <p>All <em>ssloption=</em> and <em>sslversion=</em> values for
+ <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
+ <p>All <em>ssloptions=</em> values for
SSLv2 configuration or disabling have been removed.
+ <p>Removed <em>sslversion=</em> option. Use <em>ssloptions=</em> instead.
<p>Manual squid.conf update may be required on upgrade.
<tag>external_acl_type</tag>
of queued requests.
<tag>http_port</tag>
- <p>All <em>version=</em> <em>option=</em> values for SSLv2
+ <p>All <em>option=</em> values for SSLv2
configuration or disabling have been removed.
+ <p>Removed <em>version=</em> option. Use <em>options=</em> instead.
<p>Manual squid.conf update may be required on upgrade.
<tag>https_port</tag>
- <p>All <em>version=</em> <em>option=</em> values for SSLv2
+ <p>All <em>options=</em> values for SSLv2
configuration or disabling have been removed.
+ <p>Removed <em>version=</em> option. Use <em>options=</em> instead.
<p>Manual squid.conf update may be required on upgrade.
<tag>sslcrtd_children</tag>
<p>New parameter <em>queue-size=</em> to set the maximum number
of queued requests.
- <tag>sslproxy_options</tag>
- <p>All values for SSLv2 configuration or disabling have been removed.
- <p>Manual squid.conf update may be required on upgrade.
-
- <tag>sslproxy_version</tag>
- <p>Value '2' for SSLv2-only operation is no longer supported.
-
<tag>url_rewrite_children</tag>
<p>New parameter <em>queue-size=</em> to set the maximum number
of queued requests.
<tag>sslproxy_options</tag>
<p>Replaced by <em>tls_outgoing_options options=</em>.
+ <p>All values for SSLv2 configuration or disabling have been removed.
+ <p>Manual squid.conf update may be required on upgrade.
<tag>sslproxy_version</tag>
- <p>Replaced by <em>tls_outgoing_options version=</em>.
+ <p>Replaced by <em>tls_outgoing_options options=</em>.
+ <p>All values for SSLv2 configuration or disabling have been removed.
+ <p>Manual squid.conf update may be required on upgrade.
</descrip>
#include "anyp/PortCfg.h"
#include "comm.h"
#include "fatal.h"
+#include "SBuf.h"
#if USE_OPENSSL
#include "ssl/support.h"
#endif
}
}
- contextMethod = Ssl::contextMethod(version);
- if (!contextMethod)
- fatalf("Unable to compute context method to use");
+ // backward compatibility hack for sslversion= configuration
+ if (version > 2) {
+ const char *add = NULL;
+ switch (version) {
+ case 3:
+ add = "NO_TLSv1,NO_TLSv1_1,NO_TLSv1_2";
+ break;
+ case 4:
+ add = "NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2";
+ break;
+ case 5:
+ add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_2";
+ break;
+ case 6:
+ add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_1";
+ break;
+ default: // nothing
+ break;
+ }
+ if (add) {
+ SBuf tmpOpts;
+ if (options) {
+ tmpOpts.append(options, strlen(options));
+ tmpOpts.append(",",1);
+ }
+ tmpOpts.append(add, strlen(add));
+ xfree(options);
+ options = xstrdup(tmpOpts.c_str());
+ }
+ version = 0; // prevent options being repeatedly appended
+ }
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ contextMethod = TLS_server_method();
+#else
+ contextMethod = SSLv23_server_method();
+#endif
if (dhfile)
dhParams.reset(Ssl::readDHParams(dhfile));
p->secure.encryptTransport = true;
p->secure.parse(token+3);
#endif
-
+ } else if (strncmp(token, "tls-", 4) == 0) {
+#if !USE_OPENSSL
+ debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl");
+#else
+ p->secure.encryptTransport = true;
+ p->secure.parse(token+4);
+#endif
} else if (strcmp(token, "front-end-https") == 0) {
p->front_end_https = 1;
} else if (strcmp(token, "front-end-https=on") == 0) {
safe_free(s->key);
s->key = xstrdup(token + 4);
} else if (strncmp(token, "version=", 8) == 0) {
+ debugs(3, DBG_PARSE_NOTE(1), "UPGRADE WARNING: '" << token << "' is deprecated " <<
+ "in " << cfg_directive << ". Use 'options=' instead.");
s->version = xatoi(token + 8);
- if (s->version < 1 || s->version > 4)
+ if (s->version < 1 || s->version > 6)
self_destruct();
} else if (strncmp(token, "options=", 8) == 0) {
safe_free(s->options);
if (s->key)
storeAppendPrintf(e, " key=%s", s->key);
- if (s->version)
- storeAppendPrintf(e, " version=%d", s->version);
-
if (s->options)
storeAppendPrintf(e, " options=%s", s->options);
NAME: sslproxy_version
TYPE: obsolete
DOC_START
- Remove this line. Use tls_outgoing_options version= instead.
+ Remove this line. Use tls_outgoing_options options= instead.
DOC_END
# Options removed in 3.5
assumed to be a combined certificate and
key file.
- version= The version of SSL/TLS supported
- 1 automatic (default)
- 3 SSLv3 only
- 4 TLSv1.0 only
- 5 TLSv1.1 only
- 6 TLSv1.2 only
-
cipher= Colon separated list of supported ciphers.
NOTE: some ciphers such as EDH ciphers depend on
additional settings. If those settings are
assumed to be a combined certificate and
key file.
- version= The version of SSL/TLS supported
- 1 automatic (default)
- 3 SSLv3 only
- 4 TLSv1 only
-
cipher= Colon separated list of supported ciphers.
options= Various SSL engine options. The most important
If key= is not specified cert= is assumed to reference
a PEM file containing both the certificate and the key.
- version=1|3|4|5|6
- The TLS/SSL version to use when connecting
- 1 = automatic (default)
- 3 = SSL v3 only
- 4 = TLS v1.0 only
- 5 = TLS v1.1 only
- 6 = TLS v1.2 only
-
cipher=... The list of valid TLS ciphers to use.
-
+
+ min-version=1.N
+ The minimum TLS protocol version to permit. To control
+ SSLv3 use the options= parameter.
+ Supported Values: 1.0 (default), 1.1, 1.2
+
options=... Specify various TLS/SSL implementation options:
NO_SSLv3 Disallow the use of SSLv3
reference a combined file containing both the
certificate and the key.
- sslversion=1|3|4|5|6
- The SSL version to use when connecting to this peer
- 1 = automatic (default)
- 3 = SSL v3 only
- 4 = TLS v1.0 only
- 5 = TLS v1.1 only
- 6 = TLS v1.2 only
-
sslcipher=... The list of valid SSL ciphers to use when connecting
to this peer.
-
+
+ tls-min-version=1.N
+ The minimum TLS protocol version to permit. To control
+ SSLv3 use the ssloptions= parameter.
+ Supported Values: 1.0 (default), 1.1, 1.2
+
ssloptions=... Specify various SSL implementation options:
NO_SSLv3 Disallow the use of SSLv3
reference a combined file containing both the
certificate and the key.
- sslversion=1|3|4|5|6
- The SSL version to use when connecting to this icap
- server
- 1 = automatic (default)
- 3 = SSL v3 only
- 4 = TLS v1.0 only
- 5 = TLS v1.1 only
- 6 = TLS v1.2 only
-
sslcipher=... The list of valid SSL ciphers to use when connecting
to this icap server.
+ tls-min-version=1.N
+ The minimum TLS protocol version to permit. To control
+ SSLv3 use the ssloptions= parameter.
+ Supported Values: 1.0 (default), 1.1, 1.2
+
ssloptions=... Specify various SSL implementation options:
NO_SSLv3 Disallow the use of SSLv3
#include "squid.h"
#include "Debug.h"
#include "globals.h"
+#include "parser/Tokenizer.h"
#include "Parsing.h"
#include "security/PeerOptions.h"
certFile = privateKeyFile;
}
} else if (strncmp(token, "version=", 8) == 0) {
+ debugs(0, DBG_PARSE_NOTE(1), "UPGRADE WARNING: SSL version= is deprecated. Use options= to limit protocols instead.");
sslVersion = xatoi(token + 8);
+ } else if (strncmp(token, "min-version=", 12) == 0) {
+ tlsMinVersion = SBuf(token + 12);
} else if (strncmp(token, "options=", 8) == 0) {
sslOptions = SBuf(token + 8);
#if USE_OPENSSL
{
Security::ContextPointer t = NULL;
+ if (!tlsMinVersion.isEmpty()) {
+ ::Parser::Tokenizer tok(tlsMinVersion);
+ int64_t v = 0;
+ if (tok.skip('1') && tok.skip('.') && tok.int64(v, 10, false, 1) && v <= 2) {
+ // only account for TLS here - SSL versions are handled by options= parameter
+ if (v > 0)
+ sslOptions.append(",NO_TLSv1",9);
+ if (v > 1)
+ sslOptions.append(",NO_TLSv1_1",11);
+ if (v > 2)
+ sslOptions.append(",NO_TLSv1_2",11);
+
+ } else {
+ debugs(0, DBG_PARSE_NOTE(1), "WARNING: Unknown TLS minimum version: " << tlsMinVersion);
+ }
+
+ } else if (sslVersion > 2) {
+ // backward compatibility hack for sslversion= configuration
+ // only use if tls-min-version=N.N is not present
+
+ const char *add = NULL;
+ switch (sslVersion) {
+ case 3:
+ add = "NO_TLSv1,NO_TLSv1_1,NO_TLSv1_2";
+ break;
+ case 4:
+ add = "NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2";
+ break;
+ case 5:
+ add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_2";
+ break;
+ case 6:
+ add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_1";
+ break;
+ default: // nothing
+ break;
+ }
+ if (add) {
+ if (!sslOptions.isEmpty())
+ sslOptions.append(",",1);
+ sslOptions.append(add, strlen(add));
+ }
+ sslVersion = 0; // prevent sslOptions being repeatedly appended
+ }
+
#if USE_OPENSSL
// XXX: temporary performance regression. c_str() data copies and prevents this being a const method
- t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslVersion, sslCipher.c_str(),
- (setOptions ? sslOptions.c_str() : NULL), sslFlags.c_str(), caFile.c_str(), caDir.c_str(), crlFile.c_str());
+ t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslCipher.c_str(),
+ (setOptions ? sslOptions.c_str() : NULL), sslFlags.c_str(),
+ caFile.c_str(), caDir.c_str(), crlFile.c_str());
#endif
return t;
SBuf sslFlags;
SBuf sslDomain;
+ SBuf tlsMinVersion; ///< version label for minimum TLS version to permit
+
long parsedOptions; ///< parsed value of sslOptions
+private:
int sslVersion;
+public:
/// whether transport encryption (TLS/SSL) is to be used on connections to the peer
bool encryptTransport;
};
// SSL version which can be used to the SSL version used for client hello message.
// For example will prevent comunnicating with a tls1.0 server if the
// client sent and tlsv1.2 Hello message.
- //SSL_set_ssl_method(ssl, Ssl::clientMethod(features.toSquidSSLVersion()));
#if defined(TLSEXT_NAMETYPE_host_name)
if (!serverName.isEmpty()) {
SSL_set_tlsext_host_name(ssl, serverName.c_str());
sslCreateServerContext(AnyP::PortCfg &port)
{
int ssl_error;
- SSL_CTX *sslContext;
const char *keyfile, *certfile;
certfile = port.cert;
keyfile = port.key;
if (!certfile)
certfile = keyfile;
- sslContext = SSL_CTX_new(port.contextMethod);
+ SSL_CTX *sslContext = SSL_CTX_new(port.contextMethod);
if (sslContext == NULL) {
ssl_error = ERR_get_error();
return 1;
}
-#if OPENSSL_VERSION_NUMBER < 0x00909000L
-SSL_METHOD *
-#else
-const SSL_METHOD *
-#endif
-Ssl::clientMethod(int version)
-{
- switch (version) {
-
- case 2:
- debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
- return NULL;
- break;
-
- case 3:
- debugs(83, 5, "Using SSLv3.");
- return SSLv3_client_method();
- break;
-
- case 4:
- debugs(83, 5, "Using TLSv1.");
- return TLSv1_client_method();
- break;
-
- case 5:
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet.
- debugs(83, 5, "Using TLSv1.1.");
- return TLSv1_1_client_method();
-#else
- debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy.");
- return NULL;
-#endif
- break;
-
- case 6:
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet.
- debugs(83, 5, "Using TLSv1.2");
- return TLSv1_2_client_method();
-#else
- debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy.");
- return NULL;
-#endif
- break;
-
- case 1:
-
- default:
- debugs(83, 5, "Using SSLv2/SSLv3.");
- return SSLv23_client_method();
- break;
- }
-
- //Not reached
- return NULL;
-}
-
-const SSL_METHOD *
-Ssl::serverMethod(int version)
-{
- switch (version) {
-
- case 2:
- debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
- return NULL;
- break;
-
- case 3:
- debugs(83, 5, "Using SSLv3.");
- return SSLv3_server_method();
- break;
-
- case 4:
- debugs(83, 5, "Using TLSv1.");
- return TLSv1_server_method();
- break;
-
- case 5:
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet.
- debugs(83, 5, "Using TLSv1.1.");
- return TLSv1_1_server_method();
-#else
- debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy.");
- return NULL;
-#endif
- break;
-
- case 6:
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet.
- debugs(83, 5, "Using TLSv1.2");
- return TLSv1_2_server_method();
-#else
- debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy.");
- return NULL;
-#endif
- break;
-
- case 1:
-
- default:
- debugs(83, 5, "Using SSLv2/SSLv3.");
- return SSLv23_server_method();
- break;
- }
-
- //Not reached
- return NULL;
-}
-
#if defined(TLSEXT_TYPE_next_proto_neg)
//Dummy next_proto_neg callback
static int
#endif
SSL_CTX *
-sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile)
+sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile)
{
int ssl_error;
- Ssl::ContextMethod method;
- SSL_CTX * sslContext;
long fl = Ssl::parse_flags(flags);
ssl_initialize();
- if (!(method = Ssl::clientMethod(version)))
- return NULL;
-
- sslContext = SSL_CTX_new(method);
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ SSL_CTX *sslContext = SSL_CTX_new(TLS_client_method());
+#else
+ SSL_CTX *sslContext = SSL_CTX_new(SSLv23_client_method());
+#endif
if (sslContext == NULL) {
ssl_error = ERR_get_error();
return str;
}
-Ssl::ContextMethod
-Ssl::contextMethod(int version)
-{
- Ssl::ContextMethod method;
-
- switch (version) {
-
- case 2:
- debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
- return NULL;
- break;
-
- case 3:
- debugs(83, 5, "Using SSLv3.");
- method = SSLv3_server_method();
- break;
-
- case 4:
- debugs(83, 5, "Using TLSv1.");
- method = TLSv1_server_method();
- break;
-
- case 5:
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet.
- debugs(83, 5, "Using TLSv1.1.");
- method = TLSv1_1_server_method();
-#else
- debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy.");
- return NULL;
-#endif
- break;
-
- case 6:
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet.
- debugs(83, 5, "Using TLSv1.2");
- method = TLSv1_2_server_method();
-#else
- debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy.");
- return NULL;
-#endif
- break;
-
- case 1:
-
- default:
- debugs(83, 5, "Using SSLv2/SSLv3.");
- method = SSLv23_server_method();
- break;
- }
- return method;
-}
-
/// \ingroup ServerProtocolSSLInternal
/// Create SSL context and apply ssl certificate and private key to it.
SSL_CTX *
SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port);
/// \ingroup ServerProtocolSSLAPI
-SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile);
+SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile);
/// \ingroup ServerProtocolSSLAPI
int ssl_read_method(int, char *, int);
*/
DH *readDHParams(const char *dhfile);
-/**
- \ingroup ServerProtocolSSLAPI
- * Compute the Ssl::ContextMethod (SSL_METHOD) from SSL version
- */
-ContextMethod contextMethod(int version);
-
/**
\ingroup ServerProtocolSSLAPI
* Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
int OpenSSLtoSquidSSLVersion(int sslVersion);
-#if OPENSSL_VERSION_NUMBER >= 0x00909000L
-const
-#endif
-SSL_METHOD *clientMethod(int version);
-
-const SSL_METHOD *serverMethod(int version);
-
/**
\ingroup ServerProtocolSSLAPI
* Initializes the shared session cache if configured
bool CertError::operator != (const CertError &ce) const STUB_RETVAL(false)
} // namespace Ssl
SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port) STUB_RETVAL(NULL)
-SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) STUB_RETVAL(NULL)
+SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) STUB_RETVAL(NULL)
int ssl_read_method(int, char *, int) STUB_RETVAL(0)
int ssl_write_method(int, const char *, int) STUB_RETVAL(0)
void ssl_shutdown_method(SSL *ssl) STUB
long parse_options(const char *options) STUB_RETVAL(0)
STACK_OF(X509_CRL) *loadCrl(const char *CRLFile, long &flags) STUB_RETVAL(NULL)
DH *readDHParams(const char *dhfile) STUB_RETVAL(NULL)
-ContextMethod contextMethod(int version) STUB_RETVAL(ContextMethod())
bool generateUntrustedCert(X509_Pointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey) STUB_RETVAL(false)
SSL_CTX * generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port) STUB_RETVAL(NULL)
bool verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties) STUB_RETVAL(false)
projects / thirdparty / squid.git / commitdiff
