s->sslContextSessionId));
Ssl::readCertChainAndPrivateKeyFromFiles(s->signingCert, s->signPkey, s->certsToChain, s->cert, s->key);
+
+ if (!s->signPkey)
+ debugs(3, DBG_IMPORTANT, "No SSL private key configured for http_port " << s->http.s);
+
+ Ssl::generateUntrustedCert(s->untrustedSigningCert, s->untrustedSignPkey,
+ s->signingCert, s->signPkey);
}
}
s->cafile, s->capath, s->crlfile, s->dhfile,
s->sslContextSessionId));
- if (s->cert && s->sslBump)
+ if (s->cert && s->sslBump) {
Ssl::readCertChainAndPrivateKeyFromFiles(s->signingCert, s->signPkey, s->certsToChain, s->cert, s->key);
+ if (!s->signPkey)
+ debugs(3, DBG_IMPORTANT, "No SSL private key configured for https_port " << s->http.s);
+
+ Ssl::generateUntrustedCert(s->untrustedSigningCert, s->untrustedSignPkey,
+ s->signingCert, s->signPkey);
+ }
}
}
#include "ssl/support.h"
#include "ssl/gadgets.h"
-Ssl::X509_Pointer Ssl::SquidCaCert;
-Ssl::EVP_PKEY_Pointer Ssl::SquidCaCertKey;
-
/**
\defgroup ServerProtocolSSLInternal Server-Side SSL Internals
\ingroup ServerProtocolSSLAPI
}
- // Generate the self-signed Ssl::SquidCaCert, using the "SquidLocalCa" as CN
- Ssl::CertificateProperties certProperties;
- certProperties.commonName = "Squid CA for Untrusted Certificates";
- certProperties.signAlgorithm = Ssl::algSignSelf;
- bool ret = Ssl::generateSslCertificate(Ssl::SquidCaCert, Ssl::SquidCaCertKey, certProperties);
- assert(ret);
-
ssl_ex_index_server = SSL_get_ex_new_index(0, (void *) "server", NULL, NULL, NULL);
ssl_ctx_ex_index_dont_verify_domain = SSL_CTX_get_ex_new_index(0, (void *) "dont_verify_domain", NULL, NULL, NULL);
ssl_ex_index_cert_error_check = SSL_get_ex_new_index(0, (void *) "cert_error_check", NULL, &ssl_dupAclChecklist, &ssl_freeAclChecklist);
}
}
-const char *Ssl::CommonHostName(X509 *x509)
+static const char *getSubjectEntry(X509 *x509, int nid)
{
- static char name[256] = ""; // stores common name (CN)
+ static char name[1024] = ""; // stores common name (CN)
if (!x509)
return NULL;
- // TODO: What if CN is a UTF8String? See X509_NAME_get_index_by_NID(3ssl).
+ // TODO: What if the entry is a UTF8String? See X509_NAME_get_index_by_NID(3ssl).
const int nameLen = X509_NAME_get_text_by_NID(
X509_get_subject_name(x509),
- NID_commonName, name, sizeof(name));
+ nid, name, sizeof(name));
if (nameLen > 0)
return name;
return NULL;
}
+
+const char *Ssl::CommonHostName(X509 *x509)
+{
+ return getSubjectEntry(x509, NID_commonName);
+}
+
+static const char *getOrganization(X509 *x509)
+{
+ return getSubjectEntry(x509, NID_organizationName);
+}
+
+bool Ssl::generateUntrustedCert(X509_Pointer &untrustedCert, EVP_PKEY_Pointer &untrustedPkey, X509_Pointer const &cert, EVP_PKEY_Pointer const & pkey)
+{
+ // Generate the self-signed certificate, using a hard-coded subject prefix
+ Ssl::CertificateProperties certProperties;
+ if (const char *cn = CommonHostName(cert.get())) {
+ certProperties.commonName = "Not trusted by \"";
+ certProperties.commonName += cn;
+ certProperties.commonName += "\"";
+ }
+ else if (const char *org = getOrganization(cert.get())) {
+ certProperties.commonName = "Not trusted by \"";
+ certProperties.commonName += org;
+ certProperties.commonName += "\"";
+ }
+ else
+ certProperties.commonName = "Not trusted";
+ certProperties.setCommonName = true;
+ // O, OU, and other CA subject fields will be mimicked
+ // Expiration date and other common properties will be mimicked
+ certProperties.signAlgorithm = Ssl::algSignSelf;
+ certProperties.signWithPkey.resetAndLock(pkey.get());
+ certProperties.mimicCert.resetAndLock(cert.get());
+ return Ssl::generateSslCertificate(untrustedCert, untrustedPkey, certProperties);
+}
+
#endif /* USE_SSL */
namespace Ssl
{
-
-/**
- \ingroup ServerProtocolSSLAPI
- * A temporary self-signed certificate generated on squid start up, to be
- * used to sign the generated untrusted certificates.
-*/
-extern X509_Pointer SquidCaCert;
-
/**
\ingroup ServerProtocolSSLAPI
- * The key of the SquidCaCert certificate.
+ * Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
*/
-extern EVP_PKEY_Pointer SquidCaCertKey;
+bool generateUntrustedCert(X509_Pointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey);
/**
\ingroup ServerProtocolSSLAPI