Crypto-NG: initial GnuTLS support for encrypted server connections

Make significant changes to how the options= config settings are
handled internally since GnuTLS does not expose the priority_t
implementation details like OpenSSL. They are also applied to the
session object instead of to the context.

The Security::SessionPointer is converted to std::shared_ptr. This is
required because GnuTLS does not expose the locking like OpenSSL. Since
we store the SessionPointer to fde::Table::ssl we can always access it
from there one way or another and there is actually no need for OpenSSL
locking sessions now.

Most of the remaining session lifecycle logic is moved to
security/Session.* and given a generic API. Only some client-connection
and SSL-Bump related setup remains in ssl/.

A fair amount more debug is added along with some text changes doing
s/SSL/TLS/ in code comments and debug outputs.

diff --cc src/Makefile.am
Simple merge

diff --cc src/cf.data.pre
index ca37b4a263aa1f33ddbbbff673aa2caf08199877,7be7ebd6032c165c465d086dbaa83e94ddf13ee3..64e7dea1c2cfc11b38824a3e1526811446a284bd
--- 1/src/cf.data.pre
--- 2/src/cf.data.pre
+++ b/src/cf.data.pre
@@@ -2685,15 -2612,15 +2685,11 @@@ DOC_STAR
                        To control SSLv3 use the options= parameter.
                        Supported Values: 1.0 (default), 1.1, 1.2
  
--      options=...     Specify various TLS/SSL implementation options:
 -
 -                          NO_SSLv3    Disallow the use of SSLv3
++      options=...     Specify various TLS/SSL implementation options.
  
-                           NO_SSLv3    Disallow the use of SSLv3
- 
--                          NO_TLSv1    Disallow the use of TLSv1.0
- 
-                           NO_TLSv1_1  Disallow the use of TLSv1.1
++                      OpenSSL options most important are:
  
 -                          NO_TLSv1_1  Disallow the use of TLSv1.1
 -
--                          NO_TLSv1_2  Disallow the use of TLSv1.2
++                          NO_SSLv3    Disallow the use of SSLv3
  
                            SINGLE_DH_USE
                                      Always create a new key when using
@@@ -2710,8 -2637,8 +2706,21 @@@
                                      Be warned that this reduces SSL/TLS
                                      strength to some attacks.
  
--                      See the OpenSSL SSL_CTX_set_options documentation for a
--                      more complete list.
++                              See the OpenSSL SSL_CTX_set_options documentation
++                              for a more complete list.
++
++                      GnuTLS options most important are:
++
++                          %NO_TICKETS
++                                    Disable use of RFC5077 session tickets.
++                                    Some servers may have problems
++                                    understanding the TLS extension due
++                                    to ambiguous specification in RFC4507.
++
++                              See the GnuTLS Priority Strings documentation
++                              for a more complete list.
++                              http://www.gnutls.org/manual/gnutls.html#Priority-Strings
++
        
        cafile=         PEM file containing CA certificates to use when verifying
                        the peer certificate. May be repeated to load multiple files.
@@@ -3447,18 -3374,18 +3456,14 @@@ DOC_STAR
  
        tls-min-version=1.N
                        The minimum TLS protocol version to permit. To control
--                      SSLv3 use the ssloptions= parameter.
++                      SSLv3 use the tls-options= parameter.
                        Supported Values: 1.0 (default), 1.1, 1.2
  
--      ssloptions=...  Specify various SSL implementation options:
++      tls-options=... Specify various TLS implementation options.
  
--                          NO_SSLv3    Disallow the use of SSLv3
++                      OpenSSL options most important are:
  
--                          NO_TLSv1    Disallow the use of TLSv1.0
--
--                          NO_TLSv1_1  Disallow the use of TLSv1.1
--
--                          NO_TLSv1_2  Disallow the use of TLSv1.2
++                          NO_SSLv3    Disallow the use of SSLv3
  
                            SINGLE_DH_USE
                                      Always create a new key when using
@@@ -3477,7 -3404,7 +3482,19 @@@
  
                        See the OpenSSL SSL_CTX_set_options documentation for a
                        more complete list.
--      
++
++                      GnuTLS options most important are:
++
++                          %NO_TICKETS
++                                    Disable use of RFC5077 session tickets.
++                                    Some servers may have problems
++                                    understanding the TLS extension due
++                                    to ambiguous specification in RFC4507.
++
++                              See the GnuTLS Priority Strings documentation
++                              for a more complete list.
++                              http://www.gnutls.org/manual/gnutls.html#Priority-Strings
++
        tls-cafile=     PEM file containing CA certificates to use when verifying
                        the peer certificate. May be repeated to load multiple files.
        
@@@ -8772,17 -8699,17 +8789,13 @@@ DOC_STAR
  
        tls-min-version=1.N
                        The minimum TLS protocol version to permit. To control
--                      SSLv3 use the ssloptions= parameter.
++                      SSLv3 use the tls-options= parameter.
                        Supported Values: 1.0 (default), 1.1, 1.2
  
        tls-options=... Specify various OpenSSL library options:
  
                            NO_SSLv3    Disallow the use of SSLv3
  
--                          NO_TLSv1    Disallow the use of TLSv1.0
--                          NO_TLSv1_1  Disallow the use of TLSv1.1
--                          NO_TLSv1_2  Disallow the use of TLSv1.2
--
                            SINGLE_DH_USE
                                      Always create a new key when using
                                      temporary/ephemeral DH key exchanges

diff --cc src/client_side.cc
Simple merge

diff --cc src/comm.cc
Simple merge

diff --cc src/ssl/bio.cc
Simple merge

diff --cc src/ssl/bio.h
index 512a3b5a4503cf53fdf007bb4d987668405ba20b,e4d1764dc10d3876e570f50e686fb8b66871a276..c99d565b749991d284f814e1796031861abbb120
--- 1/src/ssl/bio.h
--- 2/src/ssl/bio.h
+++ b/src/ssl/bio.h
@@@ -9,7 -9,8 +9,9 @@@
  #ifndef SQUID_SSL_BIO_H
  #define SQUID_SSL_BIO_H
  
+ #if USE_OPENSSL
+ 
 +#include "FadingCounter.h"
  #include "fd.h"
  #include "security/Handshake.h"
  

diff --cc src/ssl/support.cc
index 8cecb599c8b2fca683f2bf4ceedc51478bd7b515,dea8df5ab07f69763c0dc342d6787311701e1ad6..12d0cc12bc583073c2b386dfa31b7e00d76609ba
--- 1/src/ssl/support.cc
--- 2/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@@ -632,8 -655,8 +633,6 @@@ Ssl::InitClientContext(Security::Contex
      if (!ctx)
          return false;
  
-     SSL_CTX_set_options(ctx.get(), options);
 -    maybeDisableRenegotiate(ctx);
--
      if (!peer.sslCipher.isEmpty()) {
          debugs(83, 5, "Using chiper suite " << peer.sslCipher << ".");