/// Create TLS connection structure and update fd_table
static bool
-httpsCreate(const Comm::ConnectionPointer &conn, const Security::ContextPointer &ctx)
+httpsCreate(const ConnStateData *connState, const Security::ContextPointer &ctx)
{
- if (Security::CreateServerSession(ctx, conn, "client https start")) {
+ const auto conn = connState->clientConnection;
+ if (Security::CreateServerSession(ctx, conn, connState->port->secure, "client https start")) {
debugs(33, 5, "will negotiate TLS on " << conn);
return true;
}
assert(connState);
const Comm::ConnectionPointer &details = connState->clientConnection;
- if (!ctx || !httpsCreate(details, ctx))
+ if (!ctx || !httpsCreate(connState, ctx))
return;
typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
}
}
- if (!httpsCreate(clientConnection, ctx))
+ if (!httpsCreate(this, ctx))
return;
// bumped intercepted conns should already have Config.Timeout.request set
Security::ContextPointer unConfiguredCTX(Ssl::createSSLContext(port->secure.signingCa.cert, port->secure.signingCa.pkey, port->secure));
fd_table[clientConnection->fd].dynamicTlsContext = unConfiguredCTX;
- if (!httpsCreate(clientConnection, unConfiguredCTX))
+ if (!httpsCreate(this, unConfiguredCTX))
return;
switchedToHttps_ = true;
const char *err = nullptr;
const char *priorities = str.c_str();
gnutls_priority_t op;
- if (gnutls_priority_init(&op, priorities, &err) != GNUTLS_E_SUCCESS) {
- fatalf("Unknown TLS option '%s'", err);
+ int x = gnutls_priority_init(&op, priorities, &err);
+ if (x != GNUTLS_E_SUCCESS) {
+ fatalf("(%s) in TLS options '%s'", ErrorString(x), err);
}
parsedOptions = Security::ParsedOptions(op, [](gnutls_priority_t p) {
debugs(83, 5, "gnutls_priority_deinit p=" << (void*)p);
{
parseOptions();
#if USE_OPENSSL
+ debugs(83, 5, "set OpenSSL options for session=" << s << ", parsedOptions=" << parsedOptions);
// XXX: Options already set before (via the context) are not cleared!
SSL_set_options(s.get(), parsedOptions);
static const SBuf defaults("default");
errMsg = defaults;
} else {
- debugs(83, 5, "set GnuTLS options '" << sslOptions << "' for session=" << s);
+ debugs(83, 5, "set GnuTLS session=" << s << ", options='" << sslOptions << ":" << tlsMinOptions << "'");
x = gnutls_priority_set(s.get(), parsedOptions.get());
errMsg = sslOptions;
}
if (x != GNUTLS_E_SUCCESS) {
- debugs(83, DBG_IMPORTANT, "ERROR: Failed to set TLS options (" << errMsg << ":" << tlsMinVersion << "). error: " << Security::ErrorString(x));
+ debugs(83, DBG_IMPORTANT, "ERROR: session=" << s << " Failed to set TLS options (" << errMsg << ":" << tlsMinVersion << "). error: " << Security::ErrorString(x));
}
#endif
}
template<typename T>
Security::ContextPointer convertContextFromRawPtr(T ctx) const {
#if USE_OPENSSL
+ debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx);
return ContextPointer(ctx, [](SSL_CTX *p) {
- debugs(83, 5, "SSL_free ctx=" << (void*)p);
+ debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
SSL_CTX_free(p);
});
#elif USE_GNUTLS
+ debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
- debugs(83, 5, "gnutls_certificate_free_credentials ctx=" << (void*)p);
+ debugs(83, 0, "gnutls_certificate_credentials destruct this=" << (void*)p);
gnutls_certificate_free_credentials(p);
});
#else
#endif
static bool
-CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Security::Io::Type type, const char *squidCtx)
+CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Security::PeerOptions &opts, Security::Io::Type type, const char *squidCtx)
{
if (!Comm::IsConnOpen(conn)) {
debugs(83, DBG_IMPORTANT, "Gone connection");
if (!session) {
errCode = ERR_get_error();
errAction = "failed to allocate handle";
+ debugs(83, DBG_IMPORTANT, "TLS error: " << errAction << ": " << Security::ErrorString(errCode));
}
#elif USE_GNUTLS
gnutls_session_t tmp;
if (errCode != GNUTLS_E_SUCCESS) {
session.reset();
errAction = "failed to initialize session";
+ debugs(83, DBG_IMPORTANT, "TLS error: " << errAction << ": " << Security::ErrorString(errCode));
}
#endif
errCode = gnutls_credentials_set(session.get(), GNUTLS_CRD_CERTIFICATE, ctx.get());
if (errCode == GNUTLS_E_SUCCESS) {
- if (auto *peer = conn->getPeer())
- peer->secure.updateSessionOptions(session);
- else
- Security::ProxyOutgoingConfig.updateSessionOptions(session);
+ opts.updateSessionOptions(session);
// NP: GnuTLS does not yet support the BIO operations
// this does the equivalent of SSL_set_fd() for now.
bool
Security::CreateClientSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
{
- return CreateSession(ctx, c, Security::Io::BIO_TO_SERVER, squidCtx);
+ if (!c || !c->getPeer())
+ return CreateSession(ctx, c, Security::ProxyOutgoingConfig, Security::Io::BIO_TO_SERVER, squidCtx);
+
+ auto *peer = c->getPeer();
+ return CreateSession(ctx, c, peer->secure, Security::Io::BIO_TO_SERVER, squidCtx);
}
bool
-Security::CreateServerSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
+Security::CreateServerSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, Security::PeerOptions &o, const char *squidCtx)
{
- return CreateSession(ctx, c, Security::Io::BIO_TO_CLIENT, squidCtx);
+ return CreateSession(ctx, c, o, Security::Io::BIO_TO_CLIENT, squidCtx);
}
void
/// On errors, emits DBG_IMPORTANT with details and returns false.
bool CreateClientSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx);
+class PeerOptions;
+
/// Creates TLS Server connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO).
/// On errors, emits DBG_IMPORTANT with details and returns false.
-bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx);
+bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, Security::PeerOptions &, const char *squidCtx);
#if USE_OPENSSL
typedef std::shared_ptr<SSL> SessionPointer;
#include "security/Session.h"
namespace Security {
bool CreateClientSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *) STUB_RETVAL(false)
-bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *) STUB_RETVAL(false)
+bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, Security::PeerOptions &, const char *) STUB_RETVAL(false)
void SessionSendGoodbye(const Security::SessionPointer &) STUB
bool SessionIsResumed(const Security::SessionPointer &) STUB_RETVAL(false)
void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &) STUB
projects / thirdparty / squid.git / commitdiff
