From: hno <> Date: Thu, 17 Apr 2003 21:25:43 +0000 (+0000) Subject: dhparams=/path/to/file.pem https_port option to specify DH parameters X-Git-Tag: SQUID_3_0_PRE1~251 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35105e4ba73df707e582ef6fb2a55d1133a37392;p=thirdparty%2Fsquid.git dhparams=/path/to/file.pem https_port option to specify DH parameters for forward-secrecy in encryption (practically denies decryption even if the private key is known from what I understand). --- diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 8aff02feab..7c3039e9c7 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -1,6 +1,6 @@ /* - * $Id: cache_cf.cc,v 1.438 2003/03/10 04:56:36 robertc Exp $ + * $Id: cache_cf.cc,v 1.439 2003/04/17 15:25:43 hno Exp $ * * DEBUG: section 3 Configuration File Parsing * AUTHOR: Harvest Derived @@ -2907,6 +2907,9 @@ parse_https_port_list(https_port_list ** head) } else if (strncmp(token, "capath=", 7) == 0) { safe_free(s->capath); s->capath = xstrdup(token + 7); + } else if (strncmp(token, "dhparams=", 9) == 0) { + safe_free(s->dhfile); + s->dhfile = xstrdup(token + 9); } else if (strncmp(token, "sslflags=", 9) == 0) { safe_free(s->sslflags); s->sslflags = xstrdup(token + 9); @@ -2915,7 +2918,7 @@ parse_https_port_list(https_port_list ** head) } } - s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath); + s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->dhfile); if (!s->sslContext) self_destruct(); @@ -2953,6 +2956,9 @@ dump_https_port_list(StoreEntry * e, const char *n, const https_port_list * s) if (s->capath) storeAppendPrintf(e, " capath=%s", s->capath); + if (s->dhfile) + storeAppendPrintf(e, " dhparams=%s", s->dhfile); + if (s->sslflags) storeAppendPrintf(e, " sslflags=%s", s->sslflags); diff --git a/src/cf.data.pre b/src/cf.data.pre index 5da6b6d14c..c04cda18cd 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.310 2003/04/14 19:57:10 hno Exp $ +# $Id: cf.data.pre,v 1.311 2003/04/17 15:25:44 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -148,8 +148,10 @@ DOC_START NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1 - See src/ssl_support.c or OpenSSL documentation - for a more complete list. + SINGLE_DH_USE Always create a new key when using + temporary/ephemeral DH key exchanges + See src/ssl_support.c or OpenSSL SSL_CTX_set_options + documentation for a complete list of options. clientca= File containing the list of CAs to use when requesting a client certificate @@ -161,6 +163,9 @@ DOC_START capath= Directory containing additional CA certificates to use when verifying client certificates + dhparams= File containing DH parameters for temporary/ephemeral + DH key exchanges + sslflags= Various flags modifying the use of SSL: DELAYED_AUTH Don't request client certificates diff --git a/src/ssl_support.cc b/src/ssl_support.cc index 66751787c0..a9ce482404 100644 --- a/src/ssl_support.cc +++ b/src/ssl_support.cc @@ -1,6 +1,6 @@ /* - * $Id: ssl_support.cc,v 1.12 2003/02/21 22:50:11 robertc Exp $ + * $Id: ssl_support.cc,v 1.13 2003/04/17 15:25:44 hno Exp $ * * AUTHOR: Benno Rice * DEBUG: section 83 SSL accelerator support @@ -419,7 +419,7 @@ ssl_initialize(void) } SSL_CTX * -sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath) +sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *dhfile) { int ssl_error; SSL_METHOD *method; @@ -547,6 +547,30 @@ sslCreateServerContext(const char *certfile, const char *keyfile, int version, c SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); } + if (dhfile) { + FILE *in = fopen(dhfile, "r"); + DH *dh = NULL; + int codes; + + if (in) { + dh = PEM_read_DHparams(in, NULL, NULL, NULL); + fclose(in); + } + + if (!dh) + debug(83, 1) ("WARNING: Failed to read DH parameters '%s'\n", dhfile); + else if (dh && DH_check(dh, &codes) == 0) { + if (codes) { + debug(83, 1) ("WARNING: Failed to verify DH parameters '%s' (%x)\n", dhfile, codes); + DH_free(dh); + dh = NULL; + } + } + + if (dh) + SSL_CTX_set_tmp_dh(sslContext, dh); + } + if (fl & SSL_FLAG_DONT_VERIFY_DOMAIN) SSL_CTX_set_ex_data(sslContext, ssl_ctx_ex_index_dont_verify_domain, (void *) -1); diff --git a/src/ssl_support.h b/src/ssl_support.h index 17296e0962..fcc4443b81 100644 --- a/src/ssl_support.h +++ b/src/ssl_support.h @@ -1,6 +1,6 @@ /* - * $Id: ssl_support.h,v 1.7 2003/02/17 07:01:37 robertc Exp $ + * $Id: ssl_support.h,v 1.8 2003/04/17 15:25:44 hno Exp $ * * AUTHOR: Benno Rice * @@ -46,7 +46,7 @@ #include #endif -SSL_CTX *sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath); +SSL_CTX *sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *dhpath); SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath); int ssl_read_method(int, char *, int); int ssl_write_method(int, const char *, int); diff --git a/src/structs.h b/src/structs.h index 53f05af048..23d7b6b516 100644 --- a/src/structs.h +++ b/src/structs.h @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.460 2003/03/15 04:17:41 robertc Exp $ + * $Id: structs.h,v 1.461 2003/04/17 15:25:44 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -195,6 +195,7 @@ struct _https_port_list char *clientca; char *cafile; char *capath; + char *dhfile; char *sslflags; SSL_CTX *sslContext; };