From: Amos Jeffries Date: Fri, 15 Jan 2016 06:57:17 +0000 (+1300) Subject: Bug 4005: Dynamic certificate cache exceeds dynamic_cert_mem_cache_size X-Git-Tag: SQUID_4_0_5~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=435c72b07c5b7ebf782049cd2b50abe79a6f7db5;p=thirdparty%2Fsquid.git Bug 4005: Dynamic certificate cache exceeds dynamic_cert_mem_cache_size * disable the use of system CA by default to verify client connection certificates. Since the use of client certificates is rare. * no change to verification of upstream server or peer certificates. Since the use of system CA to sign server certificates is common. * the new "default-ca" configuration option and its documentation are updated to make the situation more obvious amongst the other TLS options changes in Squid-4. * the action of the sslflags=NO_DEFAULT_CA is already deprecated, so no change when it is used. On port lines it now merely sets the default. It may be a good idea to also disable system CA use for cache_peer and ICAPS connections. For now they are left unchanged. --- diff --git a/doc/release-notes/release-4.sgml b/doc/release-notes/release-4.sgml index c007bf7e69..60550171c1 100644 --- a/doc/release-notes/release-4.sgml +++ b/doc/release-notes/release-4.sgml @@ -91,6 +91,13 @@ Most user-facing changes are reflected in squid.conf (see below). to configure the minimum version the TLS negotiation will allow to be used when an old TLS version is requested by the remote endpoint. +

The system Trusted CAs are no longer used by default when verifying client + certificates. The cafile= option should be used instead to load + the specific CA which signed acceptible client certificates explicitly, + even if that CA is one of the system Trusted CAs. + The tls-default-ca option can be used to restore the old + behaviour explicitly if needed. + MSNT-multi-domain helper removal

The basic_msnt_multi_domain_auth helper has been removed. The @@ -161,7 +168,7 @@ This section gives a thorough account of those changes in three categories:

New option auth-no-keytab to let GSSAPI implementation determine which Kerberos credentials to use, instead of specifying a keytab.

New option tls-min-version=1.N to set minimum TLS version allowed. -

New option tls-no-default-ca replaces sslflags=NO_DEFAULT_CA +

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA

New option tls-no-npn to disable sending TLS NPN extension.

All ssloptions= values for SSLv2 configuration or disabling have been removed. @@ -176,18 +183,20 @@ This section gives a thorough account of those changes in three categories: http_port

New option tls-min-version=1.N to set minimum TLS version allowed. -

New option tls-no-default-ca replaces sslflags=NO_DEFAULT_CA +

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA

New option tls-no-npn to disable sending TLS NPN extension.

All option= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead.

Manual squid.conf update may be required on upgrade.

Replaced cafile= with tls-cafile= which takes multiple entries. -

New option tls-no-default-ca replaces sslflags=NO_DEFAULT_CA +

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, + the default is also changed to OFF. https_port

New option tls-min-version=1.N to set minimum TLS version allowed. -

New option tls-no-default-ca replaces sslflags=NO_DEFAULT_CA +

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, + the default is also changed to OFF.

New option tls-no-npn to disable sending TLS NPN extension.

All options= values for SSLv2 configuration or disabling have been removed. @@ -210,6 +219,8 @@ This section gives a thorough account of those changes in three categories: certificate(s) to verify the server certificate.

New tls-crlfile= option to set a file with a CRL to verify the server certificate. +

New tls-default-ca option to use the system Trusted CAs to + verify the server certificate.

New tls-domain= option to verify the server certificate domain. logformat diff --git a/src/cf.data.pre b/src/cf.data.pre index 661021d41f..761a4b6c0c 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2013,8 +2013,8 @@ DOC_START Verify CRL lists for all certificates in the client certificate chain. - tls-no-default-ca - Do not use the system default Trusted CA. + tls-default-ca[=off] + Whether to use the system Trusted CAs. Default is OFF. tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1. @@ -2551,7 +2551,8 @@ DOC_START Don't verify the peer certificate matches the server name - no-default-ca Do not use the system default Trusted CA. + default-ca[=off] + Whether to use the system Trusted CAs. Default is ON. domain= The peer name as advertised in its certificate. Used for verifying the correctness of the received peer @@ -3326,9 +3327,9 @@ DOC_START See MS KB document Q307347 for details on this header. If set to auto the header will only be added if the request is forwarded as a https:// URL. - - tls-no-default-ca - Do not use the system default Trusted CA. + + tls-default-ca[=off] + Whether to use the system Trusted CAs. Default is ON. tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1. @@ -8527,7 +8528,7 @@ DOC_START the icap server certificate. Use to specify intermediate CA certificate(s) if not sent by the server. Or the full CA chain for the server when - using the tls-no-default-ca flag. + using the tls-default-ca=off flag. May be repeated to load multiple files. tls-capath=... A directory containing additional CA certificates to @@ -8546,8 +8547,8 @@ DOC_START Don't verify the icap server certificate matches the server name - tls-no-default-ca - Do no use the system default Trusted CA. + tls-default-ca[=off] + Whether to use the system Trusted CAs. Default is ON. tls-domain= The icap server name as advertised in it's certificate. Used for verifying the correctness of the received icap diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index c152684839..4861d0f4b9 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -91,8 +91,14 @@ Security::PeerOptions::parse(const char *token) } sslFlags = SBuf(token + 6); parsedFlags = parseFlags(); - } else if (strncmp(token, "no-default-ca", 13) == 0) { - flags.tlsDefaultCa = false; + } else if (strncmp(token, "default-ca=off", 14) == 0 || strncmp(token, "no-default-ca", 13) == 0) { + if (flags.tlsDefaultCa.configured() && flags.tlsDefaultCa) + fatalf("ERROR: previous default-ca settings conflict with %s", token); + flags.tlsDefaultCa.configure(false); + } else if (strncmp(token, "default-ca=on", 13) == 0 || strncmp(token, "default-ca", 10) == 0) { + if (flags.tlsDefaultCa.configured() && !flags.tlsDefaultCa) + fatalf("ERROR: previous default-ca settings conflict with %s", token); + flags.tlsDefaultCa.configure(true); } else if (strncmp(token, "domain=", 7) == 0) { sslDomain = SBuf(token + 7); } else if (strncmp(token, "no-npn", 6) == 0) { @@ -140,8 +146,14 @@ Security::PeerOptions::dumpCfg(Packable *p, const char *pfx) const if (!sslFlags.isEmpty()) p->appendf(" %sflags=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(sslFlags)); - if (!flags.tlsDefaultCa) - p->appendf(" %sno-default-ca", pfx); + if (flags.tlsDefaultCa.configured()) { + // default ON for peers / upstream servers + // default OFF for listening ports + if (flags.tlsDefaultCa) + p->appendf(" %sdefault-ca", pfx); + else + p->appendf(" %sdefault-ca=off", pfx); + } if (!flags.tlsNpn) p->appendf(" %sno-npn", pfx); @@ -500,8 +512,10 @@ Security::PeerOptions::parseFlags() if (!found) fatalf("Unknown TLS flag '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining())); if (found == SSL_FLAG_NO_DEFAULT_CA) { - debugs(83, DBG_PARSE_NOTE(2), "UPGRADE WARNING: flags=NO_DEFAULT_CA is deprecated. Use tls-no-default-ca instead."); - flags.tlsDefaultCa = false; + if (flags.tlsDefaultCa.configured() && flags.tlsDefaultCa) + fatal("ERROR: previous default-ca settings conflict with sslflags=NO_DEFAULT_CA"); + debugs(83, DBG_PARSE_NOTE(2), "WARNING: flags=NO_DEFAULT_CA is deprecated. Use tls-default-ca=off instead."); + flags.tlsDefaultCa.configure(false); } else fl |= found; } while (tok.skipOne(delims)); diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h index 598656e275..b134f7e4bd 100644 --- a/src/security/PeerOptions.h +++ b/src/security/PeerOptions.h @@ -9,6 +9,7 @@ #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H #define SQUID_SRC_SECURITY_PEEROPTIONS_H +#include "base/YesNoNone.h" #include "ConfigParser.h" #include "security/KeyData.h" @@ -75,7 +76,7 @@ public: std::list caFiles; ///< paths of files containing trusted Certificate Authority Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate -private: +protected: int sslVersion; /// flags governing Squid internal TLS operations @@ -83,7 +84,7 @@ private: flags_() : tlsDefaultCa(true), tlsNpn(true) {} /// whether to use the system default Trusted CA when verifying the remote end certificate - bool tlsDefaultCa; + YesNoNone tlsDefaultCa; /// whether to use the TLS NPN extension on these connections bool tlsNpn; diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h index a19275da43..692ad79ed5 100644 --- a/src/security/ServerOptions.h +++ b/src/security/ServerOptions.h @@ -18,7 +18,11 @@ namespace Security class ServerOptions : public PeerOptions { public: - ServerOptions() : PeerOptions() {} + ServerOptions() : PeerOptions() { + // Bug 4005: dynamic contexts use a lot of memory and it + // is more secure to have only a small set of trusted CA. + flags.tlsDefaultCa.defaultTo(false); + } explicit ServerOptions(const Security::ServerOptions &); virtual ~ServerOptions() = default;