<tag>cache_peer</tag>
<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
<p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
+ <p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension.
<p>All <em>ssloptions=</em> values for SSLv2 configuration or disabling
have been removed.
<p>Removed <em>sslversion=</em> option. Use <em>tls-options=</em> instead.
<tag>http_port</tag>
<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
<p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
+ <p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension.
<p>All <em>option=</em> values for SSLv2 configuration or disabling
have been removed.
<p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
<tag>https_port</tag>
<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
<p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
+ <p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension.
<p>All <em>options=</em> values for SSLv2
configuration or disabling have been removed.
<p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
if (!onOverloadSet)
onOverload = bypass ? srvBypass : srvWait;
+ // disable the TLS NPN extension if encrypted.
+ // Squid advertises "http/1.1", which is wrong for ICAPS.
+ if (secure.encryptTransport)
+ secure.parse("no-npn");
+
// is the service URI set?
if (!grokkedUri) {
debugs(3, DBG_CRITICAL, cfg_filename << ':' << config_lineno << ": " <<
tls-no-default-ca
Do not use the system default Trusted CA.
+ tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
+
sslcontext= SSL session ID context identifier.
Other Options:
tls-no-default-ca
Do not use the system default Trusted CA.
+ tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
+
==== GENERAL OPTIONS ====
connect-timeout=N
flags.noDefaultCa = true;
} else if (strncmp(token, "domain=", 7) == 0) {
sslDomain = SBuf(token + 7);
+ } else if (strncmp(token, "no-npn", 6) == 0) {
+ flags.tlsNpn = false;
} else {
debugs(3, DBG_CRITICAL, "ERROR: Unknown TLS option '" << token << "'");
return;
if (flags.noDefaultCa)
p->appendf(" %sno-default-ca", pfx);
+
+ if (!flags.tlsNpn)
+ p->appendf(" %sno-npn", pfx);
}
void
#endif
if (t) {
+ updateContextNpn(t);
updateContextCa(t);
updateContextCrl(t);
}
#endif
}
+#if USE_OPENSSL && defined(TLSEXT_TYPE_next_proto_neg)
+// Dummy next_proto_neg callback
+static int
+ssl_next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
+{
+ static const unsigned char supported_protos[] = {8, 'h','t','t', 'p', '/', '1', '.', '1'};
+ (void)SSL_select_next_proto(out, outlen, in, inlen, supported_protos, sizeof(supported_protos));
+ return SSL_TLSEXT_ERR_OK;
+}
+#endif
+
+void
+Security::PeerOptions::updateContextNpn(Security::ContextPtr &ctx)
+{
+ if (!flags.tlsNpn)
+ return;
+
+#if USE_OPENSSL && defined(TLSEXT_TYPE_next_proto_neg)
+ SSL_CTX_set_next_proto_select_cb(ctx, &ssl_next_proto_cb, nullptr);
+#endif
+
+ // NOTE: GnuTLS does not support the obsolete NPN extension.
+ // it does support ALPN per-session, not per-context.
+}
+
void
Security::PeerOptions::updateContextCa(Security::ContextPtr &ctx)
{
/// sync the context options with tls-min-version=N configuration
void updateTlsVersionLimits();
+ /// setup the NPN extension details for the given context
+ void updateContextNpn(Security::ContextPtr &);
+
/// setup the CA details for the given context
void updateContextCa(Security::ContextPtr &);
/// flags governing Squid internal TLS operations
struct flags_ {
- flags_() : noDefaultCa(false) {}
+ flags_() : noDefaultCa(false), tlsNpn(true) {}
/// do not use the system default Trusted CA when verifying the remote end certificate
bool noDefaultCa;
+
+ /// whether to use the TLS NPN extension on these connections
+ bool tlsNpn;
} flags;
public:
return sslContext;
}
-#if defined(TLSEXT_TYPE_next_proto_neg)
-//Dummy next_proto_neg callback
-static int
-ssl_next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
-{
- static const unsigned char supported_protos[] = {8, 'h','t','t', 'p', '/', '1', '.', '1'};
- (void)SSL_select_next_proto(out, outlen, in, inlen, supported_protos, sizeof(supported_protos));
- return SSL_TLSEXT_ERR_OK;
-}
-#endif
-
Security::ContextPtr
sslCreateClientContext(Security::PeerOptions &peer, long options, long fl)
{
SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb);
}
-#if defined(TLSEXT_TYPE_next_proto_neg)
- SSL_CTX_set_next_proto_select_cb(sslContext, &ssl_next_proto_cb, NULL);
-#endif
return sslContext;
}
projects / thirdparty / squid.git / commitdiff
