Add tls-no-default-ca option to replace sslflags=NO_DEFAULT_CA

diff --git a/doc/release-notes/release-4.sgml b/doc/release-notes/release-4.sgml
index 51b65fd35618d365b688d52696b5dbe68910d8c0..73711f1fa7c8b7b6502b89e0922b80ce715ff43f 100644 (file)
--- a/doc/release-notes/release-4.sgml
+++ b/doc/release-notes/release-4.sgml
@@ -170,6 +170,7 @@ This section gives a thorough account of those changes in three categories:
 
        <tag>cache_peer</tag>
        <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
+       <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
        <p>All <em>ssloptions=</em> values for SSLv2 configuration or disabling
           have been removed.
        <p>Removed <em>sslversion=</em> option. Use <em>tls-options=</em> instead.
@@ -182,6 +183,7 @@ This section gives a thorough account of those changes in three categories:
 
        <tag>http_port</tag>
        <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
+       <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
        <p>All <em>option=</em> values for SSLv2 configuration or disabling
           have been removed.
        <p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
@@ -193,9 +195,11 @@ This section gives a thorough account of those changes in three categories:
           parameter file name.
        <p>Manual squid.conf update may be required on upgrade.
        <p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries.
+       <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
 
        <tag>https_port</tag>
        <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
+       <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
        <p>All <em>options=</em> values for SSLv2
           configuration or disabling have been removed.
        <p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index ff4473e6524834c0c502f31584dbe0cd99e08555..830451908bdcd379253c96970d55ebd864c7bb1b 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -3594,6 +3594,7 @@ parse_port_option(AnyP::PortCfgPointer &s, char *token)
         safe_free(s->tls_dh);
         s->tls_dh = xstrdup(token + 7);
     } else if (strncmp(token, "sslflags=", 9) == 0) {
+        // NP: deprecation warnings output by secure.parse() when relevant
         s->secure.parse(token+3);
     } else if (strncmp(token, "sslcontext=", 11) == 0) {
         safe_free(s->sslContextSessionId);

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 21295c77b50da35b9b27e8d48a7506c09f935ace..4b08675721c551fa8d12b889470af9c76b975781 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1992,9 +1992,6 @@ DOC_START
                                Don't request client certificates
                                immediately, but wait until acl processing
                                requires a certificate (not yet implemented).
-                           NO_DEFAULT_CA
-                               Don't use the default CA lists built in
-                               to OpenSSL.
                            NO_SESSION_REUSE
                                Don't allow for session reuse. Each connection
                                will result in a new SSL session.
@@ -2005,6 +2002,9 @@ DOC_START
                                Verify CRL lists for all certificates in the
                                client certificate chain.
 
+          tls-no-default-ca
+                       Do not use the system default Trusted CA.
+
           sslcontext=  SSL session ID context identifier.
 
        Other Options:
@@ -2172,9 +2172,6 @@ DOC_START
                                Don't request client certificates
                                immediately, but wait until acl processing
                                requires a certificate (not yet implemented).
-                           NO_DEFAULT_CA
-                               Don't use the default CA lists built in
-                               to OpenSSL.
                            NO_SESSION_REUSE
                                Don't allow for session reuse. Each connection
                                will result in a new SSL session.
@@ -2185,6 +2182,9 @@ DOC_START
                                Verify CRL lists for all certificates in the
                                client certificate chain.
 
+          tls-no-default-ca
+                       Do not use the system default Trusted CA.
+
           sslcontext=  SSL session ID context identifier.
 
           generate-host-certificates[=<on|off>]
@@ -2664,13 +2664,12 @@ DOC_START
                        DONT_VERIFY_PEER
                                Accept certificates even if they fail to
                                verify.
-                       NO_DEFAULT_CA
-                               Don't use the default CA list built in
-                               to OpenSSL.
                        DONT_VERIFY_DOMAIN
                                Don't verify the peer certificate
                                matches the server name
        
+       no-default-ca   Do not use the system default Trusted CA.
+       
        domain=         The peer name as advertised in its certificate.
                        Used for verifying the correctness of the received peer
                        certificate. If not specified the peer hostname will be
@@ -3403,10 +3402,6 @@ DOC_START
                                Accept certificates even if they fail to
                                verify.
 
-                       NO_DEFAULT_CA
-                               Don't use the default CA list built in
-                               to OpenSSL.
-
                        DONT_VERIFY_DOMAIN
                                Don't verify the peer certificate
                                matches the server name
@@ -3422,7 +3417,9 @@ DOC_START
                        See MS KB document Q307347 for details on this header.
                        If set to auto the header will only be added if the
                        request is forwarded as a https:// URL.
-       
+
+       tls-no-default-ca
+                       Do not use the system default Trusted CA.       
        
        ==== GENERAL OPTIONS ====
        
@@ -8555,7 +8552,7 @@ DOC_START
                        the icap server certificate.
                        Use to specify intermediate CA certificate(s) if not sent
                        by the server. Or the full CA chain for the server when
-                       using the NO_DEFAULT_CA flag.
+                       using the tls-no-default-ca flag.
                        May be repeated to load multiple files.
 
        tls-capath=...  A directory containing additional CA certificates to
@@ -8570,13 +8567,13 @@ DOC_START
                        DONT_VERIFY_PEER
                                Accept certificates even if they fail to
                                verify.
-                       NO_DEFAULT_CA
-                               Don't use the default CA list built into
-                               OpenSSL.
                        DONT_VERIFY_DOMAIN
                                Don't verify the icap server certificate
                                matches the server name
 
+       tls-no-default-ca
+                       Do no use the system default Trusted CA.
+
        tls-domain=     The icap server name as advertised in it's certificate.
                        Used for verifying the correctness of the received icap
                        server certificate. If not specified the icap server

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index a2490904849f612145c733b93e23617ad44fe873..310f2e2821836142863715a3078c07648eab8129 100644 (file)
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -38,6 +38,7 @@ Security::PeerOptions::PeerOptions(const Security::PeerOptions &p) :
     sslVersion(p.sslVersion),
     encryptTransport(p.encryptTransport)
 {
+    memcpy(&flags, &p.flags, sizeof(flags));
 }
 
 void
@@ -453,7 +454,11 @@ Security::PeerOptions::parseFlags()
         }
         if (!found)
             fatalf("Unknown TLS flag '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining()));
-        fl |= found;
+        if (found == SSL_FLAG_NO_DEFAULT_CA) {
+            debugs(83, DBG_PARSE_NOTE(2), "UPGRADE WARNING: flags=NO_DEFAULT_CA is deprecated. Use tls-no-default-ca instead.");
+            flags.noDefaultCa = true;
+        } else
+            fl |= found;
     } while (tok.skipOne(delims));
 
     return fl;
@@ -500,7 +505,7 @@ Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx)
 #endif
     }
 
-    if ((parsedFlags & SSL_FLAG_NO_DEFAULT_CA))
+    if (flags.noDefaultCa)
         return;
 
 #if USE_OPENSSL

diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
index 5e78cc7292162a3285a086429a220d5108f2a039..d3ac657d16f0b6c3c508131e3967b1838e98d81a 100644 (file)
--- a/src/security/PeerOptions.h
+++ b/src/security/PeerOptions.h
@@ -73,6 +73,14 @@ public:
 private:
     int sslVersion;
 
+    /// flags governing Squid internal TLS operations
+    struct flags_ {
+        flags_() : noDefaultCa(false) {}
+
+        /// do not use the system default Trusted CA when verifying the remote end certificate
+        bool noDefaultCa;
+    } flags;
+
 public:
     /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
     bool encryptTransport;