Polish: update tls-no-default-ca logic to match tls-no-npn

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 34829919a4351add370718ca3588480c1d59af00..d849af314049e4930596bbddcc989d43c813dfc9 100644 (file)
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -92,7 +92,7 @@ Security::PeerOptions::parse(const char *token)
         sslFlags = SBuf(token + 6);
         parsedFlags = parseFlags();
     } else if (strncmp(token, "no-default-ca", 13) == 0) {
-        flags.noDefaultCa = true;
+        flags.tlsDefaultCa = false;
     } else if (strncmp(token, "domain=", 7) == 0) {
         sslDomain = SBuf(token + 7);
     } else if (strncmp(token, "no-npn", 6) == 0) {
@@ -140,7 +140,7 @@ Security::PeerOptions::dumpCfg(Packable *p, const char *pfx) const
     if (!sslFlags.isEmpty())
         p->appendf(" %sflags=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(sslFlags));
 
-    if (flags.noDefaultCa)
+    if (!flags.tlsDefaultCa)
         p->appendf(" %sno-default-ca", pfx);
 
     if (!flags.tlsNpn)
@@ -503,7 +503,7 @@ Security::PeerOptions::parseFlags()
             fatalf("Unknown TLS flag '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining()));
         if (found == SSL_FLAG_NO_DEFAULT_CA) {
             debugs(83, DBG_PARSE_NOTE(2), "UPGRADE WARNING: flags=NO_DEFAULT_CA is deprecated. Use tls-no-default-ca instead.");
-            flags.noDefaultCa = true;
+            flags.tlDefaultCa = false;
         } else
             fl |= found;
     } while (tok.skipOne(delims));
@@ -577,7 +577,7 @@ Security::PeerOptions::updateContextCa(Security::ContextPtr &ctx)
 #endif
     }
 
-    if (flags.noDefaultCa)
+    if (!flags.tlsDefaultCa)
         return;
 
 #if USE_OPENSSL

diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
index 59f9945bf4c484a539e4bf5ddf885206b14903af..8d30098c60ec6e38ec077e2dc1993715b621cc9e 100644 (file)
--- a/src/security/PeerOptions.h
+++ b/src/security/PeerOptions.h
@@ -80,10 +80,10 @@ private:
 
     /// flags governing Squid internal TLS operations
     struct flags_ {
-        flags_() : noDefaultCa(false), tlsNpn(true) {}
+        flags_() : tlsDefaultCa(true), tlsNpn(true) {}
 
-        /// do not use the system default Trusted CA when verifying the remote end certificate
-        bool noDefaultCa;
+        /// whether to use the system default Trusted CA when verifying the remote end certificate
+        bool tlsDefaultCa;
 
         /// whether to use the TLS NPN extension on these connections
         bool tlsNpn;