From: Amos Jeffries Date: Sat, 15 Nov 2014 08:00:34 +0000 (-0800) Subject: Add tls_outgoing_options directive X-Git-Tag: merge-candidate-3-v1~242^2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=195f8adbf65e1995fd578445c0755dce78479546;p=thirdparty%2Fsquid.git Add tls_outgoing_options directive This directive combines the sslproxy_* directive settings into one config line parsed into a Security::PeerOptions object. --- diff --git a/src/cf.data.depend b/src/cf.data.depend index 52b4aa7edd..3a1600dffb 100644 --- a/src/cf.data.depend +++ b/src/cf.data.depend @@ -58,6 +58,7 @@ QosConfig TokenOrQuotedString refreshpattern removalpolicy +securePeerOptions size_t IpAddress_list string diff --git a/src/cf.data.pre b/src/cf.data.pre index 2c43f0eb1e..ed00f4255e 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2364,6 +2364,81 @@ DOC_START see host_verify_strict for details on the verification process. DOC_END +COMMENT_START + TLS OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: tls_outgoing_options +IFDEF: USE_GNUTLS||USE_OPENSSL +TYPE: securePeerOptions +DEFAULT: disable +LOC: Security::SslProxyConfig +DOC_START + disable Do not support https:// URLs. + + cert=/path/to/client/certificate + A client TLS certificate to use when connecting. + + key=/path/to/client/private_key + The private TLS key corresponding to the cert= above. + If key= is not specified cert= is assumed to reference + a PEM file containing both the certificate and the key. + + version=1|3|4|5|6 + The TLS/SSL version to use when connecting + 1 = automatic (default) + 3 = SSL v3 only + 4 = TLS v1.0 only + 5 = TLS v1.1 only + 6 = TLS v1.2 only + + cipher=... The list of valid TLS ciphers to use. + + options=... Specify various TLS/SSL implementation options: + + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1.0 + NO_TLSv1_1 Disallow the use of TLSv1.1 + NO_TLSv1_2 Disallow the use of TLSv1.2 + SINGLE_DH_USE + Always create a new key when using + temporary/ephemeral DH key exchanges + ALL Enable various bug workarounds + suggested as "harmless" by OpenSSL + Be warned that this reduces TLS/SSL + strength to some attacks. + + See the OpenSSL SSL_CTX_set_options documentation for a + more complete list. + + cafile=... A file containing additional CA certificates to use + when verifying the peer certificate. + + capath=... A directory containing additional CA certificates to + use when verifying the peer certificate. + + crlfile=... A certificate revocation list file to use when + verifying the peer certificate. + + flags=... Specify various flags modifying the TLS implementation: + + DONT_VERIFY_PEER + Accept certificates even if they fail to + verify. + NO_DEFAULT_CA + Don't use the default CA list built in + to OpenSSL. + DONT_VERIFY_DOMAIN + Don't verify the peer certificate + matches the server name + + domain= The peer name as advertised in its certificate. + Used for verifying the correctness of the received peer + certificate. If not specified the peer hostname will be + used. +DOC_END + COMMENT_START SSL OPTIONS ----------------------------------------------------------------------------- diff --git a/src/cf_gen_defines b/src/cf_gen_defines index 5b8ddc1539..7b97d94553 100644 --- a/src/cf_gen_defines +++ b/src/cf_gen_defines @@ -20,6 +20,7 @@ BEGIN { define["USE_DELAY_POOLS"]="--enable-delay-pools" define["USE_ECAP"]="--enable-ecap" define["USE_ERR_LOCALES"]="--enable-auto-locale" + define["USE_GNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl" define["USE_HTCP"]="--enable-htcp" define["USE_HTTP_VIOLATIONS"]="--enable-http-violations" define["USE_ICMP"]="--enable-icmp" diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index 32f549d5a5..03d44e26f7 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -16,6 +16,8 @@ #include "ssl/support.h" #endif +Security::PeerOptions Security::SslProxyConfig; + void Security::PeerOptions::parse(const char *token) { diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h index 1730214a9e..9dbf9ae4cf 100644 --- a/src/security/PeerOptions.h +++ b/src/security/PeerOptions.h @@ -9,6 +9,7 @@ #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H #define SQUID_SRC_SECURITY_PEEROPTIONS_H +#include "ConfigParser.h" #include "SBuf.h" #include "security/Context.h" @@ -23,6 +24,9 @@ public: /// parse a TLS squid.conf option void parse(const char *); + /// reset the configuration details to default + void clear() {*this = PeerOptions();} + /// generate a security context from the configured options Security::ContextPointer createContext(); @@ -41,6 +45,21 @@ public: SBuf sslDomain; }; +/// configuration options for DIRECT server access +extern PeerOptions SslProxyConfig; + } // namespace Security +// parse the tls_outgoing_options directive +inline void +parse_securePeerOptions(Security::PeerOptions *opt) +{ + while(const char *token = ConfigParser::NextToken()) { + opt->parse(token); + } +} + +#define free_securePeerOptions(x) Security::SslProxyConfig.clear() +#define dump_securePeerOptions(e,n,x) // not supported yet + #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */ diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc index b202d84208..e93f185e6b 100644 --- a/src/tests/stub_libsecurity.cc +++ b/src/tests/stub_libsecurity.cc @@ -12,5 +12,6 @@ #include "tests/STUB.h" #include "security/PeerOptions.h" +Security::PeerOptions Security::SslProxyConfig; void Security::PeerOptions::parse(char const*) STUB Security::ContextPointer Security::PeerOptions::createContext() STUB_RETVAL(NULL)