From: Amos Jeffries Date: Mon, 4 Jun 2012 10:25:03 +0000 (-0600) Subject: Add support for TLSv1.1 and TLSv1.2 options and methods X-Git-Tag: SQUID_3_2_0_18~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b281a0fb166622b1fca37efc3094bb746648da88;p=thirdparty%2Fsquid.git Add support for TLSv1.1 and TLSv1.2 options and methods When OpenSSL v1.0.1+ is being built against. Also update the documentation for sslproxy_version which was not mentioning what the supported version codes were. Future work: * make version config option(s) accept a set of named versions and convert to codes internally. * redesign how version and options are handled. Admin should be able to just list the TLSv* wanted and Squid figure out the appropriate options from there. --- diff --git a/src/cf.data.pre b/src/cf.data.pre index a6973e2919..a1503bea43 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1400,7 +1400,9 @@ DOC_START 1 automatic (default) 2 SSLv2 only 3 SSLv3 only - 4 TLSv1 only + 4 TLSv1.0 only + 5 TLSv1.1 only + 6 TLSv1.2 only cipher= Colon separated list of supported ciphers. NOTE: some ciphers such as EDH ciphers depend on @@ -1410,9 +1412,11 @@ DOC_START options= Various SSL implementation options. The most important being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1.0 + NO_TLSv1_1 Disallow the use of TLSv1.1 + NO_TLSv1_2 Disallow the use of TLSv1.2 SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges ALL Enable various bug workarounds @@ -1864,6 +1868,15 @@ LOC: Config.ssl_client.version TYPE: int DOC_START SSL version level to use when proxying https:// URLs + + The versions of SSL/TLS supported: + + 1 automatic (default) + 2 SSLv2 only + 3 SSLv3 only + 4 TLSv1.0 only + 5 TLSv1.1 only + 6 TLSv1.2 only DOC_END NAME: sslproxy_options @@ -1876,9 +1889,11 @@ DOC_START The most important being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1.0 + NO_TLSv1_1 Disallow the use of TLSv1.1 + NO_TLSv1_2 Disallow the use of TLSv1.2 SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges @@ -2329,21 +2344,25 @@ DOC_START reference a combined file containing both the certificate and the key. - sslversion=1|2|3|4 + sslversion=1|2|3|4|5|6 The SSL version to use when connecting to this peer 1 = automatic (default) 2 = SSL v2 only 3 = SSL v3 only - 4 = TLS v1 only + 4 = TLS v1.0 only + 5 = TLS v1.1 only + 6 = TLS v1.2 only sslcipher=... The list of valid SSL ciphers to use when connecting to this peer. ssloptions=... Specify various SSL implementation options: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1.0 + NO_TLSv1_1 Disallow the use of TLSv1.1 + NO_TLSv1_2 Disallow the use of TLSv1.2 SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges diff --git a/src/ssl/support.cc b/src/ssl/support.cc index e075480c8d..2b59465c76 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -390,6 +390,16 @@ ssl_options[] = { { "NO_TLSv1", SSL_OP_NO_TLSv1 }, +#endif +#if SSL_OP_NO_TLSv1_1 + { + "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 + }, +#endif +#if SSL_OP_NO_TLSv1_2 + { + "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 + }, #endif { "", 0 @@ -680,6 +690,26 @@ sslCreateServerContext(const char *certfile, const char *keyfile, int version, c method = TLSv1_server_method(); break; + case 5: +#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. + debugs(83, 5, "Using TLSv1.1."); + method = TLSv1_1_server_method(); +#else + debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy."); + return NULL; +#endif + break; + + case 6: +#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. + debugs(83, 5, "Using TLSv1.2"); + method = TLSv1_2_server_method(); +#else + debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy."); + return NULL; +#endif + break; + case 1: default: @@ -879,6 +909,26 @@ sslCreateClientContext(const char *certfile, const char *keyfile, int version, c method = TLSv1_client_method(); break; + case 5: +#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. + debugs(83, 5, "Using TLSv1.1."); + method = TLSv1_1_client_method(); +#else + debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy."); + return NULL; +#endif + break; + + case 6: +#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. + debugs(83, 5, "Using TLSv1.2"); + method = TLSv1_2_client_method(); +#else + debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy."); + return NULL; +#endif + break; + case 1: default: