From: Amos Jeffries Date: Sun, 5 Feb 2017 05:57:32 +0000 (+1300) Subject: Crypto-NG: initial GnuTLS support for encrypted server connections X-Git-Tag: M-staged-PR71~284 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f5b28fe18637452647d7000a0ac21103f8b660e;p=thirdparty%2Fsquid.git Crypto-NG: initial GnuTLS support for encrypted server connections Make significant changes to how the options= config settings are handled internally since GnuTLS does not expose the priority_t implementation details like OpenSSL. They are also applied to the session object instead of to the context. The Security::SessionPointer is converted to std::shared_ptr. This is required because GnuTLS does not expose the locking like OpenSSL. Since we store the SessionPointer to fde::Table::ssl we can always access it from there one way or another and there is actually no need for OpenSSL locking sessions now. Most of the remaining session lifecycle logic is moved to security/Session.* and given a generic API. Only some client-connection and SSL-Bump related setup remains in ssl/. A fair amount more debug is added along with some text changes doing s/SSL/TLS/ in code comments and debug outputs. --- 3f5b28fe18637452647d7000a0ac21103f8b660e diff --cc src/cf.data.pre index ca37b4a263,7be7ebd603..64e7dea1c2 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@@ -2685,15 -2612,15 +2685,11 @@@ DOC_STAR To control SSLv3 use the options= parameter. Supported Values: 1.0 (default), 1.1, 1.2 -- options=... Specify various TLS/SSL implementation options: - - NO_SSLv3 Disallow the use of SSLv3 ++ options=... Specify various TLS/SSL implementation options. - NO_SSLv3 Disallow the use of SSLv3 - -- NO_TLSv1 Disallow the use of TLSv1.0 - - NO_TLSv1_1 Disallow the use of TLSv1.1 ++ OpenSSL options most important are: - NO_TLSv1_1 Disallow the use of TLSv1.1 - -- NO_TLSv1_2 Disallow the use of TLSv1.2 ++ NO_SSLv3 Disallow the use of SSLv3 SINGLE_DH_USE Always create a new key when using @@@ -2710,8 -2637,8 +2706,21 @@@ Be warned that this reduces SSL/TLS strength to some attacks. -- See the OpenSSL SSL_CTX_set_options documentation for a -- more complete list. ++ See the OpenSSL SSL_CTX_set_options documentation ++ for a more complete list. ++ ++ GnuTLS options most important are: ++ ++ %NO_TICKETS ++ Disable use of RFC5077 session tickets. ++ Some servers may have problems ++ understanding the TLS extension due ++ to ambiguous specification in RFC4507. ++ ++ See the GnuTLS Priority Strings documentation ++ for a more complete list. ++ http://www.gnutls.org/manual/gnutls.html#Priority-Strings ++ cafile= PEM file containing CA certificates to use when verifying the peer certificate. May be repeated to load multiple files. @@@ -3447,18 -3374,18 +3456,14 @@@ DOC_STAR tls-min-version=1.N The minimum TLS protocol version to permit. To control -- SSLv3 use the ssloptions= parameter. ++ SSLv3 use the tls-options= parameter. Supported Values: 1.0 (default), 1.1, 1.2 -- ssloptions=... Specify various SSL implementation options: ++ tls-options=... Specify various TLS implementation options. -- NO_SSLv3 Disallow the use of SSLv3 ++ OpenSSL options most important are: -- NO_TLSv1 Disallow the use of TLSv1.0 -- -- NO_TLSv1_1 Disallow the use of TLSv1.1 -- -- NO_TLSv1_2 Disallow the use of TLSv1.2 ++ NO_SSLv3 Disallow the use of SSLv3 SINGLE_DH_USE Always create a new key when using @@@ -3477,7 -3404,7 +3482,19 @@@ See the OpenSSL SSL_CTX_set_options documentation for a more complete list. -- ++ ++ GnuTLS options most important are: ++ ++ %NO_TICKETS ++ Disable use of RFC5077 session tickets. ++ Some servers may have problems ++ understanding the TLS extension due ++ to ambiguous specification in RFC4507. ++ ++ See the GnuTLS Priority Strings documentation ++ for a more complete list. ++ http://www.gnutls.org/manual/gnutls.html#Priority-Strings ++ tls-cafile= PEM file containing CA certificates to use when verifying the peer certificate. May be repeated to load multiple files. @@@ -8772,17 -8699,17 +8789,13 @@@ DOC_STAR tls-min-version=1.N The minimum TLS protocol version to permit. To control -- SSLv3 use the ssloptions= parameter. ++ SSLv3 use the tls-options= parameter. Supported Values: 1.0 (default), 1.1, 1.2 tls-options=... Specify various OpenSSL library options: NO_SSLv3 Disallow the use of SSLv3 -- NO_TLSv1 Disallow the use of TLSv1.0 -- NO_TLSv1_1 Disallow the use of TLSv1.1 -- NO_TLSv1_2 Disallow the use of TLSv1.2 -- SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges diff --cc src/ssl/bio.h index 512a3b5a45,e4d1764dc1..c99d565b74 --- a/src/ssl/bio.h +++ b/src/ssl/bio.h @@@ -9,7 -9,8 +9,9 @@@ #ifndef SQUID_SSL_BIO_H #define SQUID_SSL_BIO_H + #if USE_OPENSSL + +#include "FadingCounter.h" #include "fd.h" #include "security/Handshake.h" diff --cc src/ssl/support.cc index 8cecb599c8,dea8df5ab0..12d0cc12bc --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@@ -632,8 -655,8 +633,6 @@@ Ssl::InitClientContext(Security::Contex if (!ctx) return false; - SSL_CTX_set_options(ctx.get(), options); - maybeDisableRenegotiate(ctx); -- if (!peer.sslCipher.isEmpty()) { debugs(83, 5, "Using chiper suite " << peer.sslCipher << ".");