to configure the minimum version the TLS negotiation will allow to be used
when an old TLS version is requested by the remote endpoint.
+<p>The system Trusted CAs are no longer used by default when verifying client
+ certificates. The <em>cafile=</em> option should be used instead to load
+ the specific CA which signed acceptible client certificates explicitly,
+ even if that CA is one of the system Trusted CAs.
+ The <em>tls-default-ca</em> option can be used to restore the old
+ behaviour explicitly if needed.
+
<sect1>MSNT-multi-domain helper removal
<p>The <em>basic_msnt_multi_domain_auth</em> helper has been removed. The
<p>New option <em>auth-no-keytab</em> to let GSSAPI implementation determine
which Kerberos credentials to use, instead of specifying a keytab.
<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
- <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
+ <p>New option <em>tls-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
<p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension.
<p>All <em>ssloptions=</em> values for SSLv2 configuration or disabling
have been removed.
<tag>http_port</tag>
<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
- <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
+ <p>New option <em>tls-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
<p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension.
<p>All <em>option=</em> values for SSLv2 configuration or disabling
have been removed.
<p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
<p>Manual squid.conf update may be required on upgrade.
<p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries.
- <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
+ <p>New option <em>tls-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>,
+ the default is also changed to OFF.
<tag>https_port</tag>
<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
- <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
+ <p>New option <em>tls-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>,
+ the default is also changed to OFF.
<p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension.
<p>All <em>options=</em> values for SSLv2
configuration or disabling have been removed.
certificate(s) to verify the server certificate.
<p>New <em>tls-crlfile=</em> option to set a file with a CRL to verify the
server certificate.
+ <p>New <em>tls-default-ca</em> option to use the system Trusted CAs to
+ verify the server certificate.
<p>New <em>tls-domain=</em> option to verify the server certificate domain.
<tag>logformat</tag>
Verify CRL lists for all certificates in the
client certificate chain.
- tls-no-default-ca
- Do not use the system default Trusted CA.
+ tls-default-ca[=off]
+ Whether to use the system Trusted CAs. Default is OFF.
tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
Don't verify the peer certificate
matches the server name
- no-default-ca Do not use the system default Trusted CA.
+ default-ca[=off]
+ Whether to use the system Trusted CAs. Default is ON.
domain= The peer name as advertised in its certificate.
Used for verifying the correctness of the received peer
See MS KB document Q307347 for details on this header.
If set to auto the header will only be added if the
request is forwarded as a https:// URL.
-
- tls-no-default-ca
- Do not use the system default Trusted CA.
+
+ tls-default-ca[=off]
+ Whether to use the system Trusted CAs. Default is ON.
tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
the icap server certificate.
Use to specify intermediate CA certificate(s) if not sent
by the server. Or the full CA chain for the server when
- using the tls-no-default-ca flag.
+ using the tls-default-ca=off flag.
May be repeated to load multiple files.
tls-capath=... A directory containing additional CA certificates to
Don't verify the icap server certificate
matches the server name
- tls-no-default-ca
- Do no use the system default Trusted CA.
+ tls-default-ca[=off]
+ Whether to use the system Trusted CAs. Default is ON.
tls-domain= The icap server name as advertised in it's certificate.
Used for verifying the correctness of the received icap
}
sslFlags = SBuf(token + 6);
parsedFlags = parseFlags();
- } else if (strncmp(token, "no-default-ca", 13) == 0) {
- flags.tlsDefaultCa = false;
+ } else if (strncmp(token, "default-ca=off", 14) == 0 || strncmp(token, "no-default-ca", 13) == 0) {
+ if (flags.tlsDefaultCa.configured() && flags.tlsDefaultCa)
+ fatalf("ERROR: previous default-ca settings conflict with %s", token);
+ flags.tlsDefaultCa.configure(false);
+ } else if (strncmp(token, "default-ca=on", 13) == 0 || strncmp(token, "default-ca", 10) == 0) {
+ if (flags.tlsDefaultCa.configured() && !flags.tlsDefaultCa)
+ fatalf("ERROR: previous default-ca settings conflict with %s", token);
+ flags.tlsDefaultCa.configure(true);
} else if (strncmp(token, "domain=", 7) == 0) {
sslDomain = SBuf(token + 7);
} else if (strncmp(token, "no-npn", 6) == 0) {
if (!sslFlags.isEmpty())
p->appendf(" %sflags=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(sslFlags));
- if (!flags.tlsDefaultCa)
- p->appendf(" %sno-default-ca", pfx);
+ if (flags.tlsDefaultCa.configured()) {
+ // default ON for peers / upstream servers
+ // default OFF for listening ports
+ if (flags.tlsDefaultCa)
+ p->appendf(" %sdefault-ca", pfx);
+ else
+ p->appendf(" %sdefault-ca=off", pfx);
+ }
if (!flags.tlsNpn)
p->appendf(" %sno-npn", pfx);
if (!found)
fatalf("Unknown TLS flag '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining()));
if (found == SSL_FLAG_NO_DEFAULT_CA) {
- debugs(83, DBG_PARSE_NOTE(2), "UPGRADE WARNING: flags=NO_DEFAULT_CA is deprecated. Use tls-no-default-ca instead.");
- flags.tlsDefaultCa = false;
+ if (flags.tlsDefaultCa.configured() && flags.tlsDefaultCa)
+ fatal("ERROR: previous default-ca settings conflict with sslflags=NO_DEFAULT_CA");
+ debugs(83, DBG_PARSE_NOTE(2), "WARNING: flags=NO_DEFAULT_CA is deprecated. Use tls-default-ca=off instead.");
+ flags.tlsDefaultCa.configure(false);
} else
fl |= found;
} while (tok.skipOne(delims));
#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
#define SQUID_SRC_SECURITY_PEEROPTIONS_H
+#include "base/YesNoNone.h"
#include "ConfigParser.h"
#include "security/KeyData.h"
std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority
Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
-private:
+protected:
int sslVersion;
/// flags governing Squid internal TLS operations
flags_() : tlsDefaultCa(true), tlsNpn(true) {}
/// whether to use the system default Trusted CA when verifying the remote end certificate
- bool tlsDefaultCa;
+ YesNoNone tlsDefaultCa;
/// whether to use the TLS NPN extension on these connections
bool tlsNpn;
class ServerOptions : public PeerOptions
{
public:
- ServerOptions() : PeerOptions() {}
+ ServerOptions() : PeerOptions() {
+ // Bug 4005: dynamic contexts use a lot of memory and it
+ // is more secure to have only a small set of trusted CA.
+ flags.tlsDefaultCa.defaultTo(false);
+ }
explicit ServerOptions(const Security::ServerOptions &);
virtual ~ServerOptions() = default;
projects / thirdparty / squid.git / commitdiff
