p->secure.parse(token+3);
#endif
} else if (strncmp(token, "tls-", 4) == 0) {
-#if !USE_OPENSSL
- debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl");
-#else
p->secure.encryptTransport = true;
p->secure.parse(token+4);
-#endif
} else if (strcmp(token, "front-end-https") == 0) {
p->front_end_https = 1;
} else if (strcmp(token, "front-end-https=on") == 0) {
storeAppendPrintf(e, " ssl-bump");
#endif
- if (!s->secure.certFile.isEmpty())
- storeAppendPrintf(e, " tls-cert=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.certFile));
-
- if (!s->secure.privateKeyFile.isEmpty() && s->secure.privateKeyFile != s->secure.certFile)
- storeAppendPrintf(e, " tls-key=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.privateKeyFile));
-
- if (!s->secure.sslOptions.isEmpty())
- storeAppendPrintf(e, " tls-options=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.sslOptions));
-
- if (!s->secure.sslCipher.isEmpty())
- storeAppendPrintf(e, " tls-cipher=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.sslCipher));
-
- if (!s->secure.caFile.isEmpty())
- storeAppendPrintf(e, " tls-cafile=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.caFile));
-
- if (!s->secure.caDir.isEmpty())
- storeAppendPrintf(e, " tls-capath=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.caDir));
-
- if (!s->secure.crlFile.isEmpty())
- storeAppendPrintf(e, " tls-crlfile=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.crlFile));
+ s->secure.dumpCfg(e, "tls-");
#if USE_OPENSSL
if (s->dhfile)
if (s->dynamicCertMemCacheSize != std::numeric_limits<size_t>::max())
storeAppendPrintf(e, "dynamic_cert_mem_cache_size=%lu%s\n", (unsigned long)s->dynamicCertMemCacheSize, B_BYTES_STR);
#endif
-
- if (!s->secure.sslFlags.isEmpty())
- storeAppendPrintf(e, " tls-flags=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.sslFlags));
}
static void
else if (p->connection_auth == 2)
storeAppendPrintf(sentry, " connection-auth=auto");
+ p->secure.dumpCfg(sentry,"tls-");
storeAppendPrintf(sentry, "\n");
}
*/
#include "squid.h"
+#include "base/Packable.h"
#include "Debug.h"
#include "fatal.h"
#include "globals.h"
}
}
+void
+Security::PeerOptions::dumpCfg(Packable *p, const char *pfx) const
+{
+ if (!encryptTransport) {
+ p->appendf(" %sdisable", pfx);
+ return; // no other settings are relevant
+ }
+
+ if (!certFile.isEmpty())
+ p->appendf(" %scert=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(certFile));
+
+ if (!privateKeyFile.isEmpty() && privateKeyFile != certFile)
+ p->appendf(" %skey=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(privateKeyFile));
+
+ if (!sslOptions.isEmpty())
+ p->appendf(" %soptions=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(sslOptions));
+
+ if (!sslCipher.isEmpty())
+ p->appendf(" %scipher=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(sslCipher));
+
+ if (!caFile.isEmpty())
+ p->appendf(" %scafile=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(caFile));
+
+ if (!caDir.isEmpty())
+ p->appendf(" %scapath=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(caDir));
+
+ if (!crlFile.isEmpty())
+ p->appendf(" %scrlfile=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(crlFile));
+
+ if (!sslFlags.isEmpty())
+ p->appendf(" %sflags=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(sslFlags));
+}
+
void
Security::PeerOptions::updateTlsVersionLimits()
{
int64_t v = 0;
if (tok.skip('1') && tok.skip('.') && tok.int64(v, 10, false, 1) && v <= 2) {
// only account for TLS here - SSL versions are handled by options= parameter
+ // avoid affectign options= parameter in cachemgr config report
+#if SSL_OP_NO_TLSv1
if (v > 0)
- sslOptions.append(",NO_TLSv1",9);
+ parsedOptions |= SSL_OP_NO_TLSv1;
+#endif
+#if SSL_OP_NO_TLSv1_1
if (v > 1)
- sslOptions.append(",NO_TLSv1_1",11);
+ parsedOptions |= SSL_OP_NO_TLSv1_1;
+#endif
+#if SSL_OP_NO_TLSv1_2
if (v > 2)
- sslOptions.append(",NO_TLSv1_2",11);
+ parsedOptions |= SSL_OP_NO_TLSv1_2;
+#endif
} else {
debugs(0, DBG_PARSE_NOTE(1), "WARNING: Unknown TLS minimum version: " << tlsMinVersion);
} else if (sslVersion > 2) {
// backward compatibility hack for sslversion= configuration
// only use if tls-min-version=N.N is not present
-
+ // values 0-2 for auto and SSLv2 are not supported any longer.
+ // Do it this way so we DO cause changes to options= in cachemgr config report
const char *add = NULL;
switch (sslVersion) {
case 3:
/* Special case.. hex specification */
value = strtol(option + 2, NULL, 16);
} else {
- fatalf("Unknown SSL option '%s'", option);
+ fatalf("Unknown TLS option '%s'", option);
value = 0; /* Keep GCC happy */
}
}
}
if (!found)
- fatalf("Unknown SSL flag '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining()));
+ fatalf("Unknown TLS flag '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining()));
fl |= found;
} while (tok.skipOne(delims));
#include "SBuf.h"
#include "security/forward.h"
+class Packable;
+
namespace Security
{
/// sync the context options with tls-min-version=N configuration
void updateTlsVersionLimits();
+ /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
+ void dumpCfg(Packable *, const char *pfx) const;
+
SBuf certFile; ///< path of file containing PEM format X509 certificate
SBuf privateKeyFile; ///< path of file containing private key in PEM format
SBuf sslOptions; ///< library-specific options string
// parse the tls_outgoing_options directive
void parse_securePeerOptions(Security::PeerOptions *);
#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
-#define dump_securePeerOptions(e,n,x) // not supported yet
+#define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
void Security::PeerOptions::parse(char const*) STUB
Security::ContextPointer Security::PeerOptions::createClientContext(bool) STUB_RETVAL(NULL)
void Security::PeerOptions::updateTlsVersionLimits() STUB
+void Security::PeerOptions::dumpCfg(Packable*, char const*) const STUB
void parse_securePeerOptions(Security::PeerOptions *) STUB
long Security::ParseOptions(const char *) STUB_RETVAL(0)
long Security::ParseFlags(const SBuf &) STUB_RETVAL(0)
projects / thirdparty / squid.git / commitdiff
