From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 30 Jun 2015 07:21:06 +0000 (-0700)
Subject: Fix cachemgr 'config' report output for TLS options
X-Git-Tag: merge-candidate-3-v1~38^2~21^2~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8250ca31a53cf976d81e79834bbab85b76358398;p=thirdparty%2Fsquid.git

Fix cachemgr 'config' report output for TLS options

Adds Security::PeerOptions::dumpCfg() method to output config
details for the peer TLS settings stored. Takes an optional
prefix string for the option parameters.
- uses prefix "" for tls_outgoing_options
- uses prefix "tls-" for https_port, http_port, and cache_peer
- displays "tls-disable" for directives without TLS settings.

Fixes missing cache_peer config output for TLS settings.

Fixes display of http(s)_port TLS settings 'ssl' prefix.

Fixes tls-min-version= internal operation to avoid polluting
tls-options= config settings.

Also, updates documentation mentions of "SSL" in debugs().
---

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 444c711467..cba6db9ec0 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2189,12 +2189,8 @@ parse_peer(CachePeer ** head)
             p->secure.parse(token+3);
 #endif
         } else if (strncmp(token, "tls-", 4) == 0) {
-#if !USE_OPENSSL
-            debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl");
-#else
             p->secure.encryptTransport = true;
             p->secure.parse(token+4);
-#endif
         } else if (strcmp(token, "front-end-https") == 0) {
             p->front_end_https = 1;
         } else if (strcmp(token, "front-end-https=on") == 0) {
@@ -3794,26 +3790,7 @@ dump_generic_port(StoreEntry * e, const char *n, const AnyP::PortCfgPointer &s)
         storeAppendPrintf(e, " ssl-bump");
 #endif
 
-    if (!s->secure.certFile.isEmpty())
-        storeAppendPrintf(e, " tls-cert=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.certFile));
-
-    if (!s->secure.privateKeyFile.isEmpty() && s->secure.privateKeyFile != s->secure.certFile)
-        storeAppendPrintf(e, " tls-key=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.privateKeyFile));
-
-    if (!s->secure.sslOptions.isEmpty())
-        storeAppendPrintf(e, " tls-options=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.sslOptions));
-
-    if (!s->secure.sslCipher.isEmpty())
-        storeAppendPrintf(e, " tls-cipher=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.sslCipher));
-
-    if (!s->secure.caFile.isEmpty())
-        storeAppendPrintf(e, " tls-cafile=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.caFile));
-
-    if (!s->secure.caDir.isEmpty())
-        storeAppendPrintf(e, " tls-capath=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.caDir));
-
-    if (!s->secure.crlFile.isEmpty())
-        storeAppendPrintf(e, " tls-crlfile=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.crlFile));
+    s->secure.dumpCfg(e, "tls-");
 
 #if USE_OPENSSL
     if (s->dhfile)
@@ -3831,9 +3808,6 @@ dump_generic_port(StoreEntry * e, const char *n, const AnyP::PortCfgPointer &s)
     if (s->dynamicCertMemCacheSize != std::numeric_limits<size_t>::max())
         storeAppendPrintf(e, "dynamic_cert_mem_cache_size=%lu%s\n", (unsigned long)s->dynamicCertMemCacheSize, B_BYTES_STR);
 #endif
-
-    if (!s->secure.sslFlags.isEmpty())
-        storeAppendPrintf(e, " tls-flags=" SQUIDSBUFPH, SQUIDSBUFPRINT(s->secure.sslFlags));
 }
 
 static void
diff --git a/src/neighbors.cc b/src/neighbors.cc
index 9f8b05201a..009b177f88 100644
--- a/src/neighbors.cc
+++ b/src/neighbors.cc
@@ -1556,6 +1556,7 @@ dump_peer_options(StoreEntry * sentry, CachePeer * p)
     else if (p->connection_auth == 2)
         storeAppendPrintf(sentry, " connection-auth=auto");
 
+    p->secure.dumpCfg(sentry,"tls-");
     storeAppendPrintf(sentry, "\n");
 }
 
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 4aeaad3107..27595c929d 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -7,6 +7,7 @@
  */
 
 #include "squid.h"
+#include "base/Packable.h"
 #include "Debug.h"
 #include "fatal.h"
 #include "globals.h"
@@ -87,6 +88,39 @@ Security::PeerOptions::parse(const char *token)
     }
 }
 
+void
+Security::PeerOptions::dumpCfg(Packable *p, const char *pfx) const
+{
+    if (!encryptTransport) {
+        p->appendf(" %sdisable", pfx);
+        return; // no other settings are relevant
+    }
+
+    if (!certFile.isEmpty())
+        p->appendf(" %scert=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(certFile));
+
+    if (!privateKeyFile.isEmpty() && privateKeyFile != certFile)
+        p->appendf(" %skey=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(privateKeyFile));
+
+    if (!sslOptions.isEmpty())
+        p->appendf(" %soptions=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(sslOptions));
+
+    if (!sslCipher.isEmpty())
+        p->appendf(" %scipher=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(sslCipher));
+
+    if (!caFile.isEmpty())
+        p->appendf(" %scafile=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(caFile));
+
+    if (!caDir.isEmpty())
+        p->appendf(" %scapath=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(caDir));
+
+    if (!crlFile.isEmpty())
+        p->appendf(" %scrlfile=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(crlFile));
+
+    if (!sslFlags.isEmpty())
+        p->appendf(" %sflags=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(sslFlags));
+}
+
 void
 Security::PeerOptions::updateTlsVersionLimits()
 {
@@ -95,12 +129,19 @@ Security::PeerOptions::updateTlsVersionLimits()
         int64_t v = 0;
         if (tok.skip('1') && tok.skip('.') && tok.int64(v, 10, false, 1) && v <= 2) {
             // only account for TLS here - SSL versions are handled by options= parameter
+            // avoid affectign options= parameter in cachemgr config report
+#if SSL_OP_NO_TLSv1
             if (v > 0)
-                sslOptions.append(",NO_TLSv1",9);
+                parsedOptions |= SSL_OP_NO_TLSv1;
+#endif
+#if SSL_OP_NO_TLSv1_1
             if (v > 1)
-                sslOptions.append(",NO_TLSv1_1",11);
+                parsedOptions |= SSL_OP_NO_TLSv1_1;
+#endif
+#if SSL_OP_NO_TLSv1_2
             if (v > 2)
-                sslOptions.append(",NO_TLSv1_2",11);
+                parsedOptions |= SSL_OP_NO_TLSv1_2;
+#endif
 
         } else {
             debugs(0, DBG_PARSE_NOTE(1), "WARNING: Unknown TLS minimum version: " << tlsMinVersion);
@@ -109,7 +150,8 @@ Security::PeerOptions::updateTlsVersionLimits()
     } else if (sslVersion > 2) {
         // backward compatibility hack for sslversion= configuration
         // only use if tls-min-version=N.N is not present
-
+        // values 0-2 for auto and SSLv2 are not supported any longer.
+        // Do it this way so we DO cause changes to options= in cachemgr config report
         const char *add = NULL;
         switch (sslVersion) {
         case 3:
@@ -335,7 +377,7 @@ Security::ParseOptions(const char *options)
             /* Special case.. hex specification */
             value = strtol(option + 2, NULL, 16);
         } else {
-            fatalf("Unknown SSL option '%s'", option);
+            fatalf("Unknown TLS option '%s'", option);
             value = 0;      /* Keep GCC happy */
         }
 
@@ -398,7 +440,7 @@ Security::ParseFlags(const SBuf &flags)
             }
         }
         if (!found)
-            fatalf("Unknown SSL flag '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining()));
+            fatalf("Unknown TLS flag '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining()));
         fl |= found;
     } while (tok.skipOne(delims));
 
diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
index 255a896998..cf5aefec37 100644
--- a/src/security/PeerOptions.h
+++ b/src/security/PeerOptions.h
@@ -13,6 +13,8 @@
 #include "SBuf.h"
 #include "security/forward.h"
 
+class Packable;
+
 namespace Security
 {
 
@@ -35,6 +37,9 @@ public:
     /// sync the context options with tls-min-version=N configuration
     void updateTlsVersionLimits();
 
+    /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
+    void dumpCfg(Packable *, const char *pfx) const;
+
     SBuf certFile;       ///< path of file containing PEM format X509 certificate
     SBuf privateKeyFile; ///< path of file containing private key in PEM format
     SBuf sslOptions;     ///< library-specific options string
@@ -77,7 +82,7 @@ long ParseFlags(const SBuf &);
 // parse the tls_outgoing_options directive
 void parse_securePeerOptions(Security::PeerOptions *);
 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
-#define dump_securePeerOptions(e,n,x) // not supported yet
+#define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
 
 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
 
diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc
index 32cce654b4..6d2396664c 100644
--- a/src/tests/stub_libsecurity.cc
+++ b/src/tests/stub_libsecurity.cc
@@ -21,6 +21,7 @@ Security::PeerOptions Security::ProxyOutgoingConfig;
 void Security::PeerOptions::parse(char const*) STUB
 Security::ContextPointer Security::PeerOptions::createClientContext(bool) STUB_RETVAL(NULL)
 void Security::PeerOptions::updateTlsVersionLimits() STUB
+void Security::PeerOptions::dumpCfg(Packable*, char const*) const STUB
 void parse_securePeerOptions(Security::PeerOptions *) STUB
 long Security::ParseOptions(const char *) STUB_RETVAL(0)
 long Security::ParseFlags(const SBuf &) STUB_RETVAL(0)