From: Amos Jeffries Date: Fri, 22 May 2015 09:42:55 +0000 (-0700) Subject: Replacement of sslversion=N by tls-min-version=1.N X-Git-Tag: merge-candidate-3-v1~110 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1cc44095e2effe69bd74291090c1b7b16cc33426;p=thirdparty%2Fsquid.git Replacement of sslversion=N by tls-min-version=1.N Overall the default behaviour is changed from enumerating the protocols wanted. To enumerating and eliminating the unwanted. * sslversion= / version= parameter is removed from documentation. * sslversion= code logics is converted from setting the SSL_*_method() function to setting the ssloptions= masking parameters. Yes this will open a hole for future libraries use of TLSv1.3. However that is kind of desirable and if it becomes a problem the ssloptions=NO_TLSv1_3 should be made available. * The SSL_*_method() logic is all converted to using the flexible TLS_*_Method() API when available (OpenSSL 1.1.0) otherwise the equivalent SSLv23_*_method() API is used. That API follows the latest specification behaviour: to send a protocol frame type that any recipient should be able to parse (library decides which), while only negotiating the protocol type permitted. * A new option tls-min-version=1.N is added to server connection directives. It controls *only* the TLS version range. - http(s)_port directives are not (yet) implemented using Security::PeerOptions. For now they are left with options= masking to select protocol support. - bug in http(s)_port directives version= parameter is fixed. The new backward compatibility code accepts version=4|5|6 where the existing code did not despite documentation saying it did. - SSLv3 is left at the library default unless ssloptions=NO_SSLv3 is used. * ssloptions= is left alone so anyone can still set the library options masks to control SSLv3 enable/disable or specific TLS versions higher than the configured minimum. --- diff --git a/doc/release-notes/release-4.sgml b/doc/release-notes/release-4.sgml index 6c473bf10b..d31db9d573 100644 --- a/doc/release-notes/release-4.sgml +++ b/doc/release-notes/release-4.sgml @@ -117,8 +117,10 @@ This section gives a thorough account of those changes in three categories: of queued requests. cache_peer -

All ssloption= and sslversion= values for +

New option tls-min-version=1.N to set minimum TLS version allowed. +

All ssloptions= values for SSLv2 configuration or disabling have been removed. +

Removed sslversion= option. Use ssloptions= instead.

Manual squid.conf update may be required on upgrade. external_acl_type @@ -126,13 +128,15 @@ This section gives a thorough account of those changes in three categories: of queued requests. http_port -

All version= option= values for SSLv2 +

All option= values for SSLv2 configuration or disabling have been removed. +

Removed version= option. Use options= instead.

Manual squid.conf update may be required on upgrade. https_port -

All version= option= values for SSLv2 +

All options= values for SSLv2 configuration or disabling have been removed. +

Removed version= option. Use options= instead.

Manual squid.conf update may be required on upgrade. sslcrtd_children @@ -143,13 +147,6 @@ This section gives a thorough account of those changes in three categories:

New parameter queue-size= to set the maximum number of queued requests. - sslproxy_options -

All values for SSLv2 configuration or disabling have been removed. -

Manual squid.conf update may be required on upgrade. - - sslproxy_version -

Value '2' for SSLv2-only operation is no longer supported. - url_rewrite_children

New parameter queue-size= to set the maximum number of queued requests. @@ -188,9 +185,13 @@ This section gives a thorough account of those changes in three categories: sslproxy_options

Replaced by tls_outgoing_options options=. +

All values for SSLv2 configuration or disabling have been removed. +

Manual squid.conf update may be required on upgrade. sslproxy_version -

Replaced by tls_outgoing_options version=. +

Replaced by tls_outgoing_options options=. +

All values for SSLv2 configuration or disabling have been removed. +

Manual squid.conf update may be required on upgrade. diff --git a/src/anyp/PortCfg.cc b/src/anyp/PortCfg.cc index d2299244ac..9876273eb7 100644 --- a/src/anyp/PortCfg.cc +++ b/src/anyp/PortCfg.cc @@ -10,6 +10,7 @@ #include "anyp/PortCfg.h" #include "comm.h" #include "fatal.h" +#include "SBuf.h" #if USE_OPENSSL #include "ssl/support.h" #endif @@ -188,9 +189,43 @@ AnyP::PortCfg::configureSslServerContext() } } - contextMethod = Ssl::contextMethod(version); - if (!contextMethod) - fatalf("Unable to compute context method to use"); + // backward compatibility hack for sslversion= configuration + if (version > 2) { + const char *add = NULL; + switch (version) { + case 3: + add = "NO_TLSv1,NO_TLSv1_1,NO_TLSv1_2"; + break; + case 4: + add = "NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2"; + break; + case 5: + add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_2"; + break; + case 6: + add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_1"; + break; + default: // nothing + break; + } + if (add) { + SBuf tmpOpts; + if (options) { + tmpOpts.append(options, strlen(options)); + tmpOpts.append(",",1); + } + tmpOpts.append(add, strlen(add)); + xfree(options); + options = xstrdup(tmpOpts.c_str()); + } + version = 0; // prevent options being repeatedly appended + } + +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + contextMethod = TLS_server_method(); +#else + contextMethod = SSLv23_server_method(); +#endif if (dhfile) dhParams.reset(Ssl::readDHParams(dhfile)); diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 1bdfcca892..d8ee3f03c0 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -2195,7 +2195,13 @@ parse_peer(CachePeer ** head) p->secure.encryptTransport = true; p->secure.parse(token+3); #endif - + } else if (strncmp(token, "tls-", 4) == 0) { +#if !USE_OPENSSL + debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl"); +#else + p->secure.encryptTransport = true; + p->secure.parse(token+4); +#endif } else if (strcmp(token, "front-end-https") == 0) { p->front_end_https = 1; } else if (strcmp(token, "front-end-https=on") == 0) { @@ -3582,8 +3588,10 @@ parse_port_option(AnyP::PortCfgPointer &s, char *token) safe_free(s->key); s->key = xstrdup(token + 4); } else if (strncmp(token, "version=", 8) == 0) { + debugs(3, DBG_PARSE_NOTE(1), "UPGRADE WARNING: '" << token << "' is deprecated " << + "in " << cfg_directive << ". Use 'options=' instead."); s->version = xatoi(token + 8); - if (s->version < 1 || s->version > 4) + if (s->version < 1 || s->version > 6) self_destruct(); } else if (strncmp(token, "options=", 8) == 0) { safe_free(s->options); @@ -3808,9 +3816,6 @@ dump_generic_port(StoreEntry * e, const char *n, const AnyP::PortCfgPointer &s) if (s->key) storeAppendPrintf(e, " key=%s", s->key); - if (s->version) - storeAppendPrintf(e, " version=%d", s->version); - if (s->options) storeAppendPrintf(e, " options=%s", s->options); diff --git a/src/cf.data.pre b/src/cf.data.pre index 6975ca293d..c797a1115d 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -200,7 +200,7 @@ DOC_END NAME: sslproxy_version TYPE: obsolete DOC_START - Remove this line. Use tls_outgoing_options version= instead. + Remove this line. Use tls_outgoing_options options= instead. DOC_END # Options removed in 3.5 @@ -1914,13 +1914,6 @@ DOC_START assumed to be a combined certificate and key file. - version= The version of SSL/TLS supported - 1 automatic (default) - 3 SSLv3 only - 4 TLSv1.0 only - 5 TLSv1.1 only - 6 TLSv1.2 only - cipher= Colon separated list of supported ciphers. NOTE: some ciphers such as EDH ciphers depend on additional settings. If those settings are @@ -2100,11 +2093,6 @@ DOC_START assumed to be a combined certificate and key file. - version= The version of SSL/TLS supported - 1 automatic (default) - 3 SSLv3 only - 4 TLSv1 only - cipher= Colon separated list of supported ciphers. options= Various SSL engine options. The most important @@ -2600,16 +2588,13 @@ DOC_START If key= is not specified cert= is assumed to reference a PEM file containing both the certificate and the key. - version=1|3|4|5|6 - The TLS/SSL version to use when connecting - 1 = automatic (default) - 3 = SSL v3 only - 4 = TLS v1.0 only - 5 = TLS v1.1 only - 6 = TLS v1.2 only - cipher=... The list of valid TLS ciphers to use. - + + min-version=1.N + The minimum TLS protocol version to permit. To control + SSLv3 use the options= parameter. + Supported Values: 1.0 (default), 1.1, 1.2 + options=... Specify various TLS/SSL implementation options: NO_SSLv3 Disallow the use of SSLv3 @@ -3339,17 +3324,14 @@ DOC_START reference a combined file containing both the certificate and the key. - sslversion=1|3|4|5|6 - The SSL version to use when connecting to this peer - 1 = automatic (default) - 3 = SSL v3 only - 4 = TLS v1.0 only - 5 = TLS v1.1 only - 6 = TLS v1.2 only - sslcipher=... The list of valid SSL ciphers to use when connecting to this peer. - + + tls-min-version=1.N + The minimum TLS protocol version to permit. To control + SSLv3 use the ssloptions= parameter. + Supported Values: 1.0 (default), 1.1, 1.2 + ssloptions=... Specify various SSL implementation options: NO_SSLv3 Disallow the use of SSLv3 @@ -8498,18 +8480,14 @@ DOC_START reference a combined file containing both the certificate and the key. - sslversion=1|3|4|5|6 - The SSL version to use when connecting to this icap - server - 1 = automatic (default) - 3 = SSL v3 only - 4 = TLS v1.0 only - 5 = TLS v1.1 only - 6 = TLS v1.2 only - sslcipher=... The list of valid SSL ciphers to use when connecting to this icap server. + tls-min-version=1.N + The minimum TLS protocol version to permit. To control + SSLv3 use the ssloptions= parameter. + Supported Values: 1.0 (default), 1.1, 1.2 + ssloptions=... Specify various SSL implementation options: NO_SSLv3 Disallow the use of SSLv3 diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index bc60a20138..577053755e 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -9,6 +9,7 @@ #include "squid.h" #include "Debug.h" #include "globals.h" +#include "parser/Tokenizer.h" #include "Parsing.h" #include "security/PeerOptions.h" @@ -32,7 +33,10 @@ Security::PeerOptions::parse(const char *token) certFile = privateKeyFile; } } else if (strncmp(token, "version=", 8) == 0) { + debugs(0, DBG_PARSE_NOTE(1), "UPGRADE WARNING: SSL version= is deprecated. Use options= to limit protocols instead."); sslVersion = xatoi(token + 8); + } else if (strncmp(token, "min-version=", 12) == 0) { + tlsMinVersion = SBuf(token + 12); } else if (strncmp(token, "options=", 8) == 0) { sslOptions = SBuf(token + 8); #if USE_OPENSSL @@ -62,10 +66,56 @@ Security::PeerOptions::createContext(bool setOptions) { Security::ContextPointer t = NULL; + if (!tlsMinVersion.isEmpty()) { + ::Parser::Tokenizer tok(tlsMinVersion); + int64_t v = 0; + if (tok.skip('1') && tok.skip('.') && tok.int64(v, 10, false, 1) && v <= 2) { + // only account for TLS here - SSL versions are handled by options= parameter + if (v > 0) + sslOptions.append(",NO_TLSv1",9); + if (v > 1) + sslOptions.append(",NO_TLSv1_1",11); + if (v > 2) + sslOptions.append(",NO_TLSv1_2",11); + + } else { + debugs(0, DBG_PARSE_NOTE(1), "WARNING: Unknown TLS minimum version: " << tlsMinVersion); + } + + } else if (sslVersion > 2) { + // backward compatibility hack for sslversion= configuration + // only use if tls-min-version=N.N is not present + + const char *add = NULL; + switch (sslVersion) { + case 3: + add = "NO_TLSv1,NO_TLSv1_1,NO_TLSv1_2"; + break; + case 4: + add = "NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2"; + break; + case 5: + add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_2"; + break; + case 6: + add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_1"; + break; + default: // nothing + break; + } + if (add) { + if (!sslOptions.isEmpty()) + sslOptions.append(",",1); + sslOptions.append(add, strlen(add)); + } + sslVersion = 0; // prevent sslOptions being repeatedly appended + } + #if USE_OPENSSL // XXX: temporary performance regression. c_str() data copies and prevents this being a const method - t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslVersion, sslCipher.c_str(), - (setOptions ? sslOptions.c_str() : NULL), sslFlags.c_str(), caFile.c_str(), caDir.c_str(), crlFile.c_str()); + t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslCipher.c_str(), + (setOptions ? sslOptions.c_str() : NULL), sslFlags.c_str(), + caFile.c_str(), caDir.c_str(), crlFile.c_str()); #endif return t; diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h index c88732f512..7defc9a862 100644 --- a/src/security/PeerOptions.h +++ b/src/security/PeerOptions.h @@ -42,10 +42,14 @@ public: SBuf sslFlags; SBuf sslDomain; + SBuf tlsMinVersion; ///< version label for minimum TLS version to permit + long parsedOptions; ///< parsed value of sslOptions +private: int sslVersion; +public: /// whether transport encryption (TLS/SSL) is to be used on connections to the peer bool encryptTransport; }; diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc index 840de1e98d..ff4b53c130 100644 --- a/src/ssl/bio.cc +++ b/src/ssl/bio.cc @@ -1144,7 +1144,6 @@ Ssl::Bio::sslFeatures::applyToSSL(SSL *ssl, Ssl::BumpMode bumpMode) const // SSL version which can be used to the SSL version used for client hello message. // For example will prevent comunnicating with a tls1.0 server if the // client sent and tlsv1.2 Hello message. - //SSL_set_ssl_method(ssl, Ssl::clientMethod(features.toSquidSSLVersion())); #if defined(TLSEXT_NAMETYPE_host_name) if (!serverName.isEmpty()) { SSL_set_tlsext_host_name(ssl, serverName.c_str()); diff --git a/src/ssl/support.cc b/src/ssl/support.cc index aa74480f17..bec1ddb82e 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -918,7 +918,6 @@ SSL_CTX * sslCreateServerContext(AnyP::PortCfg &port) { int ssl_error; - SSL_CTX *sslContext; const char *keyfile, *certfile; certfile = port.cert; keyfile = port.key; @@ -931,7 +930,7 @@ sslCreateServerContext(AnyP::PortCfg &port) if (!certfile) certfile = keyfile; - sslContext = SSL_CTX_new(port.contextMethod); + SSL_CTX *sslContext = SSL_CTX_new(port.contextMethod); if (sslContext == NULL) { ssl_error = ERR_get_error(); @@ -1013,114 +1012,6 @@ int Ssl::OpenSSLtoSquidSSLVersion(int sslVersion) return 1; } -#if OPENSSL_VERSION_NUMBER < 0x00909000L -SSL_METHOD * -#else -const SSL_METHOD * -#endif -Ssl::clientMethod(int version) -{ - switch (version) { - - case 2: - debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); - return NULL; - break; - - case 3: - debugs(83, 5, "Using SSLv3."); - return SSLv3_client_method(); - break; - - case 4: - debugs(83, 5, "Using TLSv1."); - return TLSv1_client_method(); - break; - - case 5: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. - debugs(83, 5, "Using TLSv1.1."); - return TLSv1_1_client_method(); -#else - debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy."); - return NULL; -#endif - break; - - case 6: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. - debugs(83, 5, "Using TLSv1.2"); - return TLSv1_2_client_method(); -#else - debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy."); - return NULL; -#endif - break; - - case 1: - - default: - debugs(83, 5, "Using SSLv2/SSLv3."); - return SSLv23_client_method(); - break; - } - - //Not reached - return NULL; -} - -const SSL_METHOD * -Ssl::serverMethod(int version) -{ - switch (version) { - - case 2: - debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); - return NULL; - break; - - case 3: - debugs(83, 5, "Using SSLv3."); - return SSLv3_server_method(); - break; - - case 4: - debugs(83, 5, "Using TLSv1."); - return TLSv1_server_method(); - break; - - case 5: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. - debugs(83, 5, "Using TLSv1.1."); - return TLSv1_1_server_method(); -#else - debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy."); - return NULL; -#endif - break; - - case 6: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. - debugs(83, 5, "Using TLSv1.2"); - return TLSv1_2_server_method(); -#else - debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy."); - return NULL; -#endif - break; - - case 1: - - default: - debugs(83, 5, "Using SSLv2/SSLv3."); - return SSLv23_server_method(); - break; - } - - //Not reached - return NULL; -} - #if defined(TLSEXT_TYPE_next_proto_neg) //Dummy next_proto_neg callback static int @@ -1133,19 +1024,18 @@ ssl_next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsi #endif SSL_CTX * -sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) +sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) { int ssl_error; - Ssl::ContextMethod method; - SSL_CTX * sslContext; long fl = Ssl::parse_flags(flags); ssl_initialize(); - if (!(method = Ssl::clientMethod(version))) - return NULL; - - sslContext = SSL_CTX_new(method); +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + SSL_CTX *sslContext = SSL_CTX_new(TLS_client_method()); +#else + SSL_CTX *sslContext = SSL_CTX_new(SSLv23_client_method()); +#endif if (sslContext == NULL) { ssl_error = ERR_get_error(); @@ -1478,58 +1368,6 @@ sslGetUserCertificateChainPEM(SSL *ssl) return str; } -Ssl::ContextMethod -Ssl::contextMethod(int version) -{ - Ssl::ContextMethod method; - - switch (version) { - - case 2: - debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); - return NULL; - break; - - case 3: - debugs(83, 5, "Using SSLv3."); - method = SSLv3_server_method(); - break; - - case 4: - debugs(83, 5, "Using TLSv1."); - method = TLSv1_server_method(); - break; - - case 5: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. - debugs(83, 5, "Using TLSv1.1."); - method = TLSv1_1_server_method(); -#else - debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy."); - return NULL; -#endif - break; - - case 6: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. - debugs(83, 5, "Using TLSv1.2"); - method = TLSv1_2_server_method(); -#else - debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy."); - return NULL; -#endif - break; - - case 1: - - default: - debugs(83, 5, "Using SSLv2/SSLv3."); - method = SSLv23_server_method(); - break; - } - return method; -} - /// \ingroup ServerProtocolSSLInternal /// Create SSL context and apply ssl certificate and private key to it. SSL_CTX * diff --git a/src/ssl/support.h b/src/ssl/support.h index 9e8a3821e5..6e9e3237be 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -92,7 +92,7 @@ typedef CbDataList CertErrors; SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port); /// \ingroup ServerProtocolSSLAPI -SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile); +SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile); /// \ingroup ServerProtocolSSLAPI int ssl_read_method(int, char *, int); @@ -181,12 +181,6 @@ STACK_OF(X509_CRL) *loadCrl(const char *CRLFile, long &flags); */ DH *readDHParams(const char *dhfile); -/** - \ingroup ServerProtocolSSLAPI - * Compute the Ssl::ContextMethod (SSL_METHOD) from SSL version - */ -ContextMethod contextMethod(int version); - /** \ingroup ServerProtocolSSLAPI * Generate a certificate to be used as untrusted signing certificate, based on a trusted CA @@ -290,13 +284,6 @@ bool setClientSNI(SSL *ssl, const char *fqdn); int OpenSSLtoSquidSSLVersion(int sslVersion); -#if OPENSSL_VERSION_NUMBER >= 0x00909000L -const -#endif -SSL_METHOD *clientMethod(int version); - -const SSL_METHOD *serverMethod(int version); - /** \ingroup ServerProtocolSSLAPI * Initializes the shared session cache if configured diff --git a/src/tests/stub_libsslsquid.cc b/src/tests/stub_libsslsquid.cc index e52608b43a..fe52495154 100644 --- a/src/tests/stub_libsslsquid.cc +++ b/src/tests/stub_libsslsquid.cc @@ -57,7 +57,7 @@ bool CertError::operator == (const CertError &ce) const STUB_RETVAL(false) bool CertError::operator != (const CertError &ce) const STUB_RETVAL(false) } // namespace Ssl SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port) STUB_RETVAL(NULL) -SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) STUB_RETVAL(NULL) +SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) STUB_RETVAL(NULL) int ssl_read_method(int, char *, int) STUB_RETVAL(0) int ssl_write_method(int, const char *, int) STUB_RETVAL(0) void ssl_shutdown_method(SSL *ssl) STUB @@ -76,7 +76,6 @@ long parse_flags(const char *flags) STUB_RETVAL(0) long parse_options(const char *options) STUB_RETVAL(0) STACK_OF(X509_CRL) *loadCrl(const char *CRLFile, long &flags) STUB_RETVAL(NULL) DH *readDHParams(const char *dhfile) STUB_RETVAL(NULL) -ContextMethod contextMethod(int version) STUB_RETVAL(ContextMethod()) bool generateUntrustedCert(X509_Pointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey) STUB_RETVAL(false) SSL_CTX * generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port) STUB_RETVAL(NULL) bool verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties) STUB_RETVAL(false)