sslContextSessionId(NULL),
generateHostCertificates(false),
dynamicCertMemCacheSize(std::numeric_limits<size_t>::max()),
- staticSslContext(),
signingCert(),
signPkey(),
certsToChain(),
}
secure.updateTlsVersionLimits();
+ secure.staticContext.reset(sslCreateServerContext(*this));
- staticSslContext.reset(sslCreateServerContext(*this));
-
- if (!staticSslContext) {
+ if (!secure.staticContext) {
char buf[128];
- fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
+ fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
}
}
#endif
#if USE_OPENSSL
char *clientca;
- char *sslContextSessionId; ///< "session id context" for staticSslContext
+ char *sslContextSessionId; ///< "session id context" for secure.staticSslContext
bool generateHostCertificates; ///< dynamically make host cert for sslBump
size_t dynamicCertMemCacheSize; ///< max size of generated certificates memory cache
- Security::ContextPointer staticSslContext; ///< for HTTPS accelerator or static sslBump
Security::CertPointer signingCert; ///< x509 certificate for signing generated certificates
Ssl::EVP_PKEY_Pointer signPkey; ///< private key for sighing generated certificates
Ssl::X509_STACK_Pointer certsToChain; ///< x509 certificates to send with the generated cert
acl_checklist->nonBlockingCheck(httpsSslBumpAccessCheckDone, this);
return;
} else {
- Security::ContextPtr sslContext = port->staticSslContext.get();
- httpsEstablish(this, sslContext);
+ httpsEstablish(this, port->secure.staticContext.get());
}
}
// If generated ssl context = NULL, try to use static ssl context.
if (!sslContext) {
- if (!port->staticSslContext) {
- debugs(83, DBG_IMPORTANT, "Closing SSL " << clientConnection->remote << " as lacking SSL context");
+ if (!port->secure.staticContext) {
+ debugs(83, DBG_IMPORTANT, "Closing " << clientConnection->remote << " as lacking TLS context");
clientConnection->close();
return;
} else {
- debugs(33, 5, HERE << "Using static ssl context.");
- sslContext = port->staticSslContext.get();
+ debugs(33, 5, "Using static TLS context.");
+ sslContext = port->secure.staticContext.get();
}
}
debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << scheme << "_port " << s->s);
s->flags.tunnelSslBumping = false;
}
- if (!s->staticSslContext && !s->generateHostCertificates) {
+ if (!s->secure.staticContext && !s->generateHostCertificates) {
debugs(1, DBG_IMPORTANT, "Will not bump SSL at " << scheme << "_port " << s->s << " due to TLS initialization failure.");
s->flags.tunnelSslBumping = false;
if (s->transport.protocol == AnyP::PROTO_HTTP)
}
}
- if (s->secure.encryptTransport && !s->staticSslContext) {
+ if (s->secure.encryptTransport && !s->secure.staticContext) {
debugs(1, DBG_CRITICAL, "ERROR: Ignoring " << scheme << "_port " << s->s << " due to TLS context initialization failure.");
continue;
}
/// update the context with DH, EDH, EECDH settings
void updateContextEecdh(Security::ContextPtr &);
+public:
+ /// TLS context to use for HTTPS accelerator or static SSL-Bump
+ Security::ContextPointer staticContext;
+
private:
void loadDhParams();
-//public:
- SBuf dh; ///< Diffi-Helman cipher config
-
private:
+ SBuf dh; ///< Diffi-Helman cipher config
SBuf dhParamsFile; ///< Diffi-Helman ciphers parameter file
SBuf eecdhCurve; ///< Elliptic curve for ephemeral EC-based DH key exchanges
}
for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
- if (s->staticSslContext.get() != NULL)
- setSessionCallbacks(s->staticSslContext.get());
+ if (s->secure.staticContext.get())
+ setSessionCallbacks(s->secure.staticContext.get());
}
}