#if HAVE_LIMITS
#include <limits>
#endif
+#if USE_SSL
+#include "ssl/support.h"
+#endif
http_port_list::http_port_list(const char *aProtocol)
#if USE_SSL
safe_free(sslContextSessionId);
#endif
}
+
+#if USE_SSL
+void http_port_list::configureSslServerContext()
+{
+ staticSslContext.reset(
+ sslCreateServerContext(cert, key,
+ version, cipher, options, sslflags, clientca,
+ cafile, capath, crlfile, dhfile,
+ sslContextSessionId));
+
+ if (!staticSslContext) {
+ char buf[128];
+ fatalf("%s_port %s initialization error", protocol, s.ToURL(buf, sizeof(buf)));
+ }
+
+ if (!sslBump)
+ return;
+
+ if (cert)
+ Ssl::readCertChainAndPrivateKeyFromFiles(signingCert, signPkey, certsToChain, cert, key);
+
+ if (!signingCert) {
+ char buf[128];
+ fatalf("No valid signing SSL certificate configured for %s_port %s", protocol, s.ToURL(buf, sizeof(buf)));
+ }
+
+ if (!signPkey)
+ debugs(3, DBG_IMPORTANT, "No SSL private key configured for " << protocol << "_port " << s);
+
+ Ssl::generateUntrustedCert(untrustedSigningCert, untrustedSignPkey,
+ signingCert, signPkey);
+
+ if (!untrustedSigningCert) {
+ char buf[128];
+ fatalf("Unable to generate signing SSL certificate for untrusted sites for %s_port %s", protocol, s.ToURL(buf, sizeof(buf)));
+ }
+}
+#endif
struct http_port_list {
http_port_list(const char *aProtocol);
~http_port_list();
+#if USE_SSL
+ void configureSslServerContext();
+#endif
http_port_list *next;
http_port_list *s;
for (s = Config.Sockaddr.http; s != NULL; s = (http_port_list *) s->next) {
- if (!s->cert)
+ if (!s->sslBump)
continue;
debugs(3, 1, "Initializing http_port " << s->s << " SSL context");
-
- s->staticSslContext.reset(
- sslCreateServerContext(s->cert, s->key,
- s->version, s->cipher, s->options, s->sslflags, s->clientca,
- s->cafile, s->capath, s->crlfile, s->dhfile,
- s->sslContextSessionId));
-
- Ssl::readCertChainAndPrivateKeyFromFiles(s->signingCert, s->signPkey, s->certsToChain, s->cert, s->key);
-
- if (!s->signPkey)
- debugs(3, DBG_IMPORTANT, "No SSL private key configured for http_port " << s->s);
-
- Ssl::generateUntrustedCert(s->untrustedSigningCert, s->untrustedSignPkey,
- s->signingCert, s->signPkey);
+ s->configureSslServerContext();
}
}
for (s = Config.Sockaddr.https; s != NULL; s = s->next) {
debugs(3, 1, "Initializing https_port " << s->s << " SSL context");
-
- s->staticSslContext.reset(
- sslCreateServerContext(s->cert, s->key,
- s->version, s->cipher, s->options, s->sslflags, s->clientca,
- s->cafile, s->capath, s->crlfile, s->dhfile,
- s->sslContextSessionId));
-
- if (s->cert && s->sslBump) {
- Ssl::readCertChainAndPrivateKeyFromFiles(s->signingCert, s->signPkey, s->certsToChain, s->cert, s->key);
- if (!s->signPkey)
- debugs(3, DBG_IMPORTANT, "No SSL private key configured for https_port " << s->s);
-
- Ssl::generateUntrustedCert(s->untrustedSigningCert, s->untrustedSignPkey,
- s->signingCert, s->signPkey);
- }
+ s->configureSslServerContext();
}
}
assert(certProperties.signAlgorithm != Ssl::algSignEnd);
if (certProperties.signAlgorithm == Ssl::algSignUntrusted) {
+ assert(port->untrustedSigningCert.get());
certProperties.signWithX509.resetAndLock(port->untrustedSigningCert.get());
certProperties.signWithPkey.resetAndLock(port->untrustedSignPkey.get());
}
else {
- if (port->signingCert.get())
- certProperties.signWithX509.resetAndLock(port->signingCert.get());
+ assert(port->signingCert.get());
+ certProperties.signWithX509.resetAndLock(port->signingCert.get());
if (port->signPkey.get())
certProperties.signWithPkey.resetAndLock(port->signPkey.get());
// For non self-signed certificates we have to check if the signing certificate changed
if (properties.signAlgorithm != Ssl::algSignSelf) {
+ assert(properties.signWithX509.get());
if (X509_check_issued(properties.signWithX509.get(), cert) != X509_V_OK)
return false;
}
if (!CAfile)
CAfile = clientCA;
+ if (!certfile) {
+ debugs(83, DBG_CRITICAL, "ERROR: No certificate file");
+ return NULL;
+ }
+
switch (version) {
case 2:
if (sslContext == NULL) {
ssl_error = ERR_get_error();
- fatalf("Failed to allocate SSL context: %s\n",
- ERR_error_string(ssl_error, NULL));
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate SSL context: " << ERR_error_string(ssl_error, NULL));
+ return NULL;
}
SSL_CTX_set_options(sslContext, ssl_parse_options(options));
if (!SSL_CTX_set_cipher_list(sslContext, cipher)) {
ssl_error = ERR_get_error();
- fatalf("Failed to set SSL cipher suite '%s': %s\n",
- cipher, ERR_error_string(ssl_error, NULL));
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to set SSL cipher suite '" << cipher << "': " << ERR_error_string(ssl_error, NULL));
+ SSL_CTX_free(sslContext);
+ return NULL;
}
}
projects / thirdparty / squid.git / commitdiff
