AC_MSG_NOTICE([Support for Ident lookups enabled: ${enable_ident_lookups:=yes}])
SQUID_DEFINE_BOOL(USE_IDENT,$enable_ident_lookups,[Support for Ident (RFC 931) lookups])
-AM_CONDITIONAL(USE_SSL_CRTD, false)
-AC_ARG_ENABLE(ssl-crtd,
- AC_HELP_STRING([--enable-ssl-crtd],
- [Prevent Squid from directly generation of SSL private key and
- certificate request and instead enables the ssl_crtd processes.]), [
- SQUID_YESNO([$enableval],
- [unrecogized argument to --enable-ssl-crtd: $enableval])
-])
-
-if test "x$enable_ssl_crtd" = "xyes" -a "x$with_openssl" = "xno" ; then
- AC_MSG_ERROR([You need to enable ssl gatewaying support to use ssl_crtd feature. Try to use --with-openssl. ])
-fi
-SQUID_DEFINE_BOOL(USE_SSL_CRTD, ${enable_ssl_crtd:=no},[Use ssl_crtd daemon])
-AM_CONDITIONAL(USE_SSL_CRTD, [test "x$enable_ssl_crtd" = "xyes"])
-
dnl Select Default hosts file location
AC_ARG_ENABLE(default-hostsfile,
AS_HELP_STRING([--enable-default-hostsfile=path],
])
m4_include([src/security/cert_validators/helpers.m4])
+AC_ARG_ENABLE(security-cert-generators,
+ AS_HELP_STRING([--enable-security-cert-generators="list of helpers"],
+ [This option selects which security certificate validator
+ helpers to build and install as part of the normal build
+ process. The default is to attempt the build of all possible
+ helpers. Use --disable-security-cert-genrators to
+ build none. For a list of available helpers see the
+ src/security/cert_generators/ directory.]),[
+])
+m4_include([src/security/cert_generators/helpers.m4])
+
dnl Select storeid_rewrite helpers to build
AC_ARG_ENABLE(storeid-rewrite-helpers,
AS_HELP_STRING([--enable-storeid-rewrite-helpers="list of helpers"],
src/parser/Makefile
src/repl/Makefile
src/security/Makefile
+ src/security/cert_generators/Makefile
+ src/security/cert_generators/file/Makefile
src/security/cert_validators/Makefile
src/security/cert_validators/fake/Makefile
src/servers/Makefile
<em>security_fake_certverify</em>, reflecting the Squid helper naming schema
and that it does not actually perform any certificate checks.
+<p>The <em>ssl_crtd</em> helper has been renamed to <em>security_file_certgen</em>
+ and is now built and installed by default whenever OpenSSL support is enabled.
+ Building the helper can be controlled using the <em>--enable-security-cert-generators="file"</em>
+ option.
+ NOTE: The <em>--enable-ssl-crtd</em> option is still required to enable the
+ <em>sslcrtd_program</em> helper interface within Squid that uses the helper.
+
<p>The <em>security_fake_certverify</em> helper is also now built and installed
by default. It is written in Perl so does not require OpenSSL dependencies
for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution.
<sect1>New options<label id="newoptions">
<p>
<descrip>
+ <tag>--enable-security-cert-generators</tag>
+ <p>New option to control which TLS/SSL dynamic certificate generator
+ helpers are built and installed.
+ <p>Helper <em>ssl_crtd<em> has been renamed to <em>security_file_certgen</em>
+ and built with module name <em>file</em>. Requires <em>--with-openssl</em>.
+
<tag>--enable-security-cert-validator-helpers</tag>
- <p>New directive to control which TLS/SSL certificate validation
+ <p>New option to control which TLS/SSL certificate validation
helpers are built and installed.
<p>One <em>fake</em> helper that does not actually perform any
certificate checks is provided for testing and as an example
endif
DIST_SUBDIRS += auth
-SUBDIRS += http ip icmp ident log ipc mgr security
-DIST_SUBDIRS += http ip icmp ident log ipc mgr security
+SUBDIRS += http ip icmp ident log ipc mgr
+DIST_SUBDIRS += http ip icmp ident log ipc mgr
SSL_LIBS=
if ENABLE_SSL
ssl/libsslsquid.la \
ssl/libsslutil.la
endif
-DIST_SUBDIRS += ssl
+DIST_SUBDIRS += ssl security
+SUBDIRS += security
SNMP_ALL_SOURCE = \
SnmpRequest.h \
DEFAULT: @DEFAULT_SSL_CRTD@ -s @DEFAULT_SSL_DB_DIR@ -M 4MB
LOC: Ssl::TheConfig.ssl_crtd
DOC_START
- Specify the location and options of the executable for ssl_crtd process.
+ Specify the location and options of the executable for certificate
+ generator.
@DEFAULT_SSL_CRTD@ program requires -s and -M parameters
For more information use:
@DEFAULT_SSL_CRTD@ -h
#include "ssl/ServerBump.h"
#include "ssl/support.h"
#endif
-#if USE_SSL_CRTD
-#include "ssl/certificate_db.h"
-#include "ssl/crtd_message.h"
-#endif
// for tvSubUsec() which should be in SquidTime.h
#include "util.h"
#if USE_LOADABLE_MODULES
#include "LoadableModules.h"
#endif
-#if USE_SSL_CRTD
-#include "ssl/certificate_db.h"
-#endif
#if USE_OPENSSL
#include "ssl/context_storage.h"
#include "ssl/helper.h"
include $(top_srcdir)/src/Common.am
include $(top_srcdir)/src/TestHeaders.am
-SUBDIRS= cert_validators
+SUBDIRS= cert_generators cert_validators
noinst_LTLIBRARIES = libsecurity.la
--- /dev/null
+## Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
+DIST_SUBDIRS= file
+SUBDIRS= $(SECURITY_CERTGEN_HELPERS)
+EXTRA_DIST= helpers.m4
--- /dev/null
+## Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
+include $(top_srcdir)/src/Common.am
+include $(top_srcdir)/src/TestHeaders.am
+
+man_MANS = security_file_certgen.8
+libexec_PROGRAMS = security_file_certgen
+
+security_file_certgen_SOURCES = \
+ certificate_db.cc \
+ certificate_db.h \
+ security_file_certgen.cc
+security_file_certgen_LDADD = \
+ $(top_builddir)/src/ssl/libsslutil.la \
+ $(SSLLIB) \
+ $(COMPAT_LIB)
+
+EXTRA_DIST = security_file_certgen.8
+
*/
#include "squid.h"
-#include "ssl/certificate_db.h"
+#include "security/cert_generators/file/certificate_db.h"
#include <cerrno>
#include <fstream>
--- /dev/null
+## Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
+if test "x$with_openssl" = "xno" ; then
+ BUILD_HELPER="file"
+fi
-.if !'po4a'hide' .TH ssl_crtd 8
+.if !'po4a'hide' .TH security_file_certgen 8
.
.SH NAME
-ssl_crtd \- SSL certificate generator for Squid.
+security_file_certgen \- SSL certificate generator for Squid.
.PP
Version 1.0
.
.SH SYNOPSIS
-.if !'po4a'hide' .B ssl_crtd
+.if !'po4a'hide' .B security_file_certgen
.if !'po4a'hide' .B [\-dhv]
.
-.if !'po4a'hide' .B ssl_crtd
+.if !'po4a'hide' .B security_file_certgen
.if !'po4a'hide' .B "[\-d] -s "
directory
-.if !'po4a'hide' .B [\-M
+.if !'po4a'hide' .B "[\-M "
size
.if !'po4a'hide' .B ]
.
-.if !'po4a'hide' .B ssl_crtd
+.if !'po4a'hide' .B security_file_certgen
.if !'po4a'hide' .B "[\-d] \-c \-s "
directory
.if !'po4a'hide' .B [\-n]
serial number
.
-.if !'po4a'hide' .B ssl_crtd
+.if !'po4a'hide' .B security_file_certgen
.if !'po4a'hide' .B "[\-d] \-g \-s "
directory
.
.SH DESCRIPTION
-.B ssl_crtd
+.B security_file_certgen
is an installed binary.
.PP
Because the generation and signing of SSL certificates takes time
.PP
For example:
.if !'po4a'hide' .RS
-.if !'po4a'hide' .B ssl_crtd -c -s /var/lib/ssl_db
+.if !'po4a'hide' .B security_file_certgen -c -s /var/lib/ssl_db
.if !'po4a'hide' .RE
.
.PP
configuration directive.
For example:
.if !'po4a'hide' .RS
-.if !'po4a'hide' .B sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
+.if !'po4a'hide' .B sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/lib/ssl_db -M 4MB
.if !'po4a'hide' .
.if !'po4a'hide' .B sslcrtd_children 5
.if !'po4a'hide' .RE
#include "squid.h"
#include "helper/protocol_defines.h"
-#include "ssl/certificate_db.h"
+#include "security/cert_generators/file/certificate_db.h"
#include "ssl/crtd_message.h"
#include <cstring>
--- /dev/null
+## Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
+# This file is supposed to run all the tests required to identify which
+# configured modules are able to be built in this environment
+
+# FIXME: de-duplicate $enable_security_cert_generator_helpers list containing double entries.
+
+#define list of modules to build
+auto_security_modules=no
+if test "x${enable_security_cert_generator_helpers:=yes}" = "xyes" ; then
+ SQUID_LOOK_FOR_MODULES([$srcdir/src/security/cert_generators],[enable_security_cert_generator_helpers])
+ auto_security_certgen_modules=yes
+fi
+
+enable_security_cert_generator_helpers="`echo $enable_security_cert_generator_helpers| sed -e 's/,/ /g;s/ */ /g'`"
+AC_MSG_NOTICE([Security certificate generator helper candidates: $enable_security_cert_generator_helpers])
+SECURITY_CERTGEN_HELPERS=""
+if test "x$enable_security_cert_generator_helpers" != "xno" ; then
+ for helper in $enable_security_cert_generator_helpers; do
+ dir="$srcdir/src/security/cert_generators/$helper"
+
+ # modules converted to autoconf macros already
+ # NP: we only need this list because m4_include() does not accept variables
+ if test "x$helper" = "xfile" ; then
+ m4_include([src/security/cert_generators/file/required.m4])
+
+ # modules not yet converted to autoconf macros (or third party drop-in's)
+ elif test -f "$dir/config.test" && sh "$dir/config.test" "$squid_host_os"; then
+ BUILD_HELPER="$helper"
+ fi
+
+ if test -d "$srcdir/src/security/cert_generators/$helper"; then
+ if test "$BUILD_HELPER" != "$helper"; then
+ if test "x$auto_security_certgen_modules" = "xyes"; then
+ AC_MSG_NOTICE([Security certificate generator helper $helper ... found but cannot be built])
+ else
+ AC_MSG_ERROR([Security certificate generator helper $helper ... found but cannot be built])
+ fi
+ else
+ SECURITY_CERTGEN_HELPERS="$SECURITY_CERTGEN_HELPERS $BUILD_HELPER"
+ fi
+ else
+ AC_MSG_ERROR([Security certificate generator helper $helper ... not found])
+ fi
+ done
+fi
+AC_MSG_NOTICE([Security certificate generator helpers to be built: $SECURITY_CERTGEN_HELPERS])
+AC_SUBST(SECURITY_CERTGEN_HELPERS)
+
+# XXX: Enabling the interface in Squid still requires separate option
+AC_ARG_ENABLE(ssl-crtd,
+ AC_HELP_STRING([--enable-ssl-crtd],
+ [Prevent Squid from directly generating TLS/SSL private key
+ and certificate. Instead enables the certificate generator
+ processes.]), [
+ SQUID_YESNO([$enableval],
+ [unrecogized argument to --enable-ssl-crtd: $enableval])
+])
+if test "x$enable_ssl_crtd" = "xyes" -a "x$with_openssl" = "xno" ; then
+ AC_MSG_ERROR([You need ssl gatewaying support to enable ssl_crtd feature. Try to use --with-openssl.])
+fi
+SQUID_DEFINE_BOOL(USE_SSL_CRTD, ${enable_ssl_crtd:=no},[Use ssl_crtd daemon])
# FIXME: de-duplicate $enable_security_cert_validator_helpers list containing double entries.
#define list of modules to build
-auto_security_modules=no
+auto_security_certv_modules=no
if test "x${enable_security_cert_validator_helpers:=yes}" = "xyes" ; then
SQUID_LOOK_FOR_MODULES([$srcdir/src/security/cert_validators],[enable_security_cert_validator_helpers])
- auto_security_modules=yes
+ auto_security_certv_modules=yes
fi
enable_security_cert_validator_helpers="`echo $enable_security_cert_validator_helpers| sed -e 's/,/ /g;s/ */ /g'`"
if test -d "$srcdir/src/security/cert_validators/$helper"; then
if test "$BUILD_HELPER" != "$helper"; then
- if test "x$auto_security_modules" = "xyes"; then
+ if test "x$auto_security_certv_modules" = "xyes"; then
AC_MSG_NOTICE([Security certificate validator helper $helper ... found but cannot be built])
else
AC_MSG_ERROR([Security certificate validator helper $helper ... found but cannot be built])
noinst_LTLIBRARIES = libsslsquid.la libsslutil.la
-EXTRA_PROGRAMS = \
- ssl_crtd
-
-EXTRA_DIST = \
- ssl_crtd.8
-
-if USE_SSL_CRTD
-SSL_CRTD = ssl_crtd
-man_MANS = ssl_crtd.8
-else
-SSL_CRTD =
-endif
-
-## SSL stuff used by main Squid but not by ssl_crtd
+## SSL stuff used by main Squid but not by certgen helper
libsslsquid_la_SOURCES = \
bio.cc \
bio.h \
helper.cc \
helper.h
-## SSL stuff used by main Squid and ssl_crtd
+## SSL stuff used by main Squid and certgen helper
libsslutil_la_SOURCES = \
gadgets.cc \
gadgets.h \
crtd_message.cc \
crtd_message.h
-
-libexec_PROGRAMS = \
- $(SSL_CRTD)
-
-if USE_SSL_CRTD
-ssl_crtd_SOURCES = ssl_crtd.cc certificate_db.cc certificate_db.h
-ssl_crtd_LDADD = libsslutil.la $(SSLLIB) $(COMPAT_LIB)
-endif
namespace Ssl
{
+#if USE_SSL_CRTD
/**
* Set of thread for ssl_crtd. This class is singleton. Use this class only
* over GetIntance() static method. This class use helper structure
* for threads management.
*/
-#if USE_SSL_CRTD
class Helper
{
public:
projects / thirdparty / squid.git / commitdiff
