/*
- * $Id: cache_cf.cc,v 1.467 2005/03/18 15:36:07 hno Exp $
+ * $Id: cache_cf.cc,v 1.468 2005/03/18 17:12:34 hno Exp $
*
* DEBUG: section 3 Configuration File Parsing
* AUTHOR: Harvest Derived
debug(3, 1) ("Initializing https proxy context\n");
- Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath);
+ Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile);
{
for (p = Config.peers; p != NULL; p = p->next) {
if (p->use_ssl) {
debug(3, 1) ("Initializing cache_peer %s SSL context\n", p->name);
- p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath);
+ p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath, p->sslcrlfile);
}
}
}
for (s = Config.Sockaddr.https; s != NULL; s = (https_port_list *) s->http.next) {
debug(3, 1) ("Initializing https_port %s:%d SSL context\n", inet_ntoa(s->http.s.sin_addr), ntohs(s->http.s.sin_port));
- s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->dhfile, s->sslcontext);
+ s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->crlfile, s->dhfile, s->sslcontext);
}
}
p->sslcipher = xstrdup(token + 10);
} else if (strncmp(token, "sslcafile=", 10) == 0) {
safe_free(p->sslcafile);
- p->sslcipher = xstrdup(token + 10);
+ p->sslcafile = xstrdup(token + 10);
} else if (strncmp(token, "sslcapath=", 10) == 0) {
safe_free(p->sslcapath);
- p->sslcipher = xstrdup(token + 10);
+ p->sslcapath = xstrdup(token + 10);
+ } else if (strncmp(token, "sslcrlfile=", 11) == 0) {
+ safe_free(p->sslcrlfile);
+ p->sslcapath = xstrdup(token + 10);
} else if (strncmp(token, "sslflags=", 9) == 0) {
safe_free(p->sslflags);
p->sslflags = xstrdup(token + 9);
} else if (strncmp(token, "capath=", 7) == 0) {
safe_free(s->capath);
s->capath = xstrdup(token + 7);
+ } else if (strncmp(token, "crlfile=", 8) == 0) {
+ safe_free(s->crlfile);
+ s->crlfile = xstrdup(token + 8);
} else if (strncmp(token, "dhparams=", 9) == 0) {
safe_free(s->dhfile);
s->dhfile = xstrdup(token + 9);
if (s->capath)
storeAppendPrintf(e, " capath=%s", s->capath);
+ if (s->crlfile)
+ storeAppendPrintf(e, " crlfile=%s", s->crlfile);
+
if (s->dhfile)
storeAppendPrintf(e, " dhparams=%s", s->dhfile);
#
-# $Id: cf.data.pre,v 1.383 2005/03/18 16:51:22 hno Exp $
+# $Id: cf.data.pre,v 1.384 2005/03/18 17:12:34 hno Exp $
#
#
# SQUID Web Proxy Cache http://www.squid-cache.org/
clientca will be used
capath= Directory containing additional CA certificates
- to use when verifying client certificates
+ and CRL lists to use when verifying client certificates
+
+ crlfile= File of additional CRL lists to use when verifying
+ the client certificate, in addition to CRLs stored in
+ the capath. Implies VERIFY_CRL flag below.
dhparams= File containing DH parameters for temporary/ephemeral
DH key exchanges
DELAYED_AUTH
Don't request client certificates
immediately, but wait until acl processing
- requires a certificate
+ requires a certificate (not yet implemented)
NO_DEFAULT_CA
- Don't use the default CA list built in
+ Don't use the default CA lists built in
to OpenSSL
NO_SESSION_REUSE
Don't allow for session reuse. Each connection
will result in a new SSL session.
+ VERIFY_CRL
+ Verify CRL lists when accepting client
+ certificates
+ VERIFY_CRL_ALL
+ Verify CRL lists for all certificates in the
+ client certificate chain
sslcontext= SSL session ID context identifier.
/*
- * $Id: ssl_support.cc,v 1.28 2005/03/18 16:51:22 hno Exp $
+ * $Id: ssl_support.cc,v 1.29 2005/03/18 17:12:34 hno Exp $
*
* AUTHOR: Benno Rice
* DEBUG: section 83 SSL accelerator support
#define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
#define SSL_FLAG_NO_SESSION_REUSE (1<<4)
+#define SSL_FLAG_VERIFY_CRL (1<<5)
+#define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
static long
ssl_parse_flags(const char *flags)
fl |= SSL_FLAG_DONT_VERIFY_DOMAIN;
else if (strcmp(flag, "NO_SESSION_REUSE") == 0)
fl |= SSL_FLAG_NO_SESSION_REUSE;
+
+#ifdef X509_V_FLAG_CRL_CHECK
+
+ else if (strcmp(flag, "VERIFY_CRL") == 0)
+ fl |= SSL_FLAG_VERIFY_CRL;
+ else if (strcmp(flag, "VERIFY_CRL_ALL") == 0)
+ fl |= SSL_FLAG_VERIFY_CRL_ALL;
+
+#endif
+
else
fatalf("Unknown ssl flag '%s'", flag);
}
+static int
+ssl_load_crl(SSL_CTX *sslContext, const char *CRLfile)
+{
+ X509_STORE *st = SSL_CTX_get_cert_store(sslContext);
+ X509_CRL *crl;
+ BIO *in = BIO_new_file(CRLfile, "r");
+ int count = 0;
+
+ if (!in) {
+ debug(83, 2)("WARNING: Failed to open CRL file '%s'\n", CRLfile);
+ return 0;
+ }
+
+ while ((crl = PEM_read_bio_X509_CRL(in,NULL,NULL,NULL))) {
+ if (!X509_STORE_add_crl(st, crl))
+ debug(83, 2)("WARNING: Failed to add CRL from file '%s'\n", CRLfile);
+ else
+ count++;
+
+ X509_CRL_free(crl);
+ }
+
+ BIO_free(in);
+ return count;
+}
+
SSL_CTX *
-sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *dhfile, const char *context)
+sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *CRLfile, const char *dhfile, const char *context)
{
int ssl_error;
SSL_METHOD *method;
debug(83, 9) ("Setting CA certificate locations.\n");
- if ((!SSL_CTX_load_verify_locations(sslContext, CAfile, CApath))) {
+ if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) {
ssl_error = ERR_get_error();
debug(83, 1) ("Error setting CA certificate locations: %s\n",
ERR_error_string(ssl_error, NULL));
debug(83, 9) ("Requiring client certificates.\n");
SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb);
}
+
+ if (CRLfile) {
+ ssl_load_crl(sslContext, CRLfile);
+ fl |= SSL_FLAG_VERIFY_CRL;
+ }
+
+#ifdef X509_V_FLAG_CRL_CHECK
+ if (fl & SSL_FLAG_VERIFY_CRL_ALL)
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ else if (fl & SSL_FLAG_VERIFY_CRL)
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK);
+
+#endif
+
} else {
debug(83, 9) ("Not requiring any client certificates\n");
SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL);
}
SSL_CTX *
-sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath)
+sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile)
{
int ssl_error;
SSL_METHOD *method;
debug(83, 9) ("Setting CA certificate locations.\n");
- if (CAfile || CApath)
- if ((!SSL_CTX_load_verify_locations(sslContext, CAfile, CApath))) {
- ssl_error = ERR_get_error();
- debug(83, 1) ("Error setting CA certificate locations: %s\n",
- ERR_error_string(ssl_error, NULL));
- debug(83, 1) ("continuing anyway...\n");
- }
+ if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) {
+ ssl_error = ERR_get_error();
+ debug(83, 1) ("Error setting CA certificate locations: %s\n",
+ ERR_error_string(ssl_error, NULL));
+ debug(83, 1) ("continuing anyway...\n");
+ }
+
+ if (CRLfile) {
+ ssl_load_crl(sslContext, CRLfile);
+ fl |= SSL_FLAG_VERIFY_CRL;
+ }
+
+#ifdef X509_V_FLAG_CRL_CHECK
+ if (fl & SSL_FLAG_VERIFY_CRL_ALL)
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ else if (fl & SSL_FLAG_VERIFY_CRL)
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK);
+
+#endif
if (!(fl & SSL_FLAG_NO_DEFAULT_CA) &&
!SSL_CTX_set_default_verify_paths(sslContext)) {
/*
- * $Id: ssl_support.h,v 1.10 2005/03/18 16:51:22 hno Exp $
+ * $Id: ssl_support.h,v 1.11 2005/03/18 17:12:34 hno Exp $
*
* AUTHOR: Benno Rice
*
#include <openssl/engine.h>
#endif
-SSL_CTX *sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *dhpath, const char *context);
-SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath);
+SSL_CTX *sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *CRLfile, const char *dhpath, const char *context);
+SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile);
int ssl_read_method(int, char *, int);
int ssl_write_method(int, const char *, int);
void ssl_shutdown_method(int);
/*
- * $Id: structs.h,v 1.513 2005/03/18 15:36:08 hno Exp $
+ * $Id: structs.h,v 1.514 2005/03/18 17:12:34 hno Exp $
*
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
char *clientca;
char *cafile;
char *capath;
+ char *crlfile;
char *dhfile;
char *sslflags;
char *sslcontext;
char *cipher;
char *cafile;
char *capath;
+ char *crlfile;
char *flags;
SSL_CTX *sslContext;
}
char *sslcipher;
char *sslcafile;
char *sslcapath;
+ char *sslcrlfile;
char *sslflags;
char *ssldomain;
SSL_CTX *sslContext;
projects / thirdparty / squid.git / commitdiff
