From 8b253b833ea37816d29261f567cd703377c9908f Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 8 Oct 2015 23:02:01 -0700
Subject: [PATCH] Add tls-no-default-ca option to replace
 sslflags=NO_DEFAULT_CA

---
 doc/release-notes/release-4.sgml |  4 ++++
 src/cache_cf.cc                  |  1 +
 src/cf.data.pre                  | 33 +++++++++++++++-----------------
 src/security/PeerOptions.cc      |  9 +++++++--
 src/security/PeerOptions.h       |  8 ++++++++
 5 files changed, 35 insertions(+), 20 deletions(-)

diff --git a/doc/release-notes/release-4.sgml b/doc/release-notes/release-4.sgml
index 51b65fd356..73711f1fa7 100644
--- a/doc/release-notes/release-4.sgml
+++ b/doc/release-notes/release-4.sgml
@@ -170,6 +170,7 @@ This section gives a thorough account of those changes in three categories:
 
 	<tag>cache_peer</tag>
 	<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
+	<p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
 	<p>All <em>ssloptions=</em> values for SSLv2 configuration or disabling
 	   have been removed.
 	<p>Removed <em>sslversion=</em> option. Use <em>tls-options=</em> instead.
@@ -182,6 +183,7 @@ This section gives a thorough account of those changes in three categories:
 
 	<tag>http_port</tag>
 	<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
+	<p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
 	<p>All <em>option=</em> values for SSLv2 configuration or disabling
 	   have been removed.
 	<p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
@@ -193,9 +195,11 @@ This section gives a thorough account of those changes in three categories:
 	   parameter file name.
 	<p>Manual squid.conf update may be required on upgrade.
 	<p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries.
+	<p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
 
 	<tag>https_port</tag>
 	<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
+	<p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
 	<p>All <em>options=</em> values for SSLv2
 	   configuration or disabling have been removed.
 	<p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead.
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index ff4473e652..830451908b 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -3594,6 +3594,7 @@ parse_port_option(AnyP::PortCfgPointer &s, char *token)
         safe_free(s->tls_dh);
         s->tls_dh = xstrdup(token + 7);
     } else if (strncmp(token, "sslflags=", 9) == 0) {
+        // NP: deprecation warnings output by secure.parse() when relevant
         s->secure.parse(token+3);
     } else if (strncmp(token, "sslcontext=", 11) == 0) {
         safe_free(s->sslContextSessionId);
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 21295c77b5..4b08675721 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1992,9 +1992,6 @@ DOC_START
 				Don't request client certificates
 				immediately, but wait until acl processing
 				requires a certificate (not yet implemented).
-			    NO_DEFAULT_CA
-				Don't use the default CA lists built in
-				to OpenSSL.
 			    NO_SESSION_REUSE
 				Don't allow for session reuse. Each connection
 				will result in a new SSL session.
@@ -2005,6 +2002,9 @@ DOC_START
 				Verify CRL lists for all certificates in the
 				client certificate chain.
 
+	   tls-no-default-ca
+			Do not use the system default Trusted CA.
+
 	   sslcontext=	SSL session ID context identifier.
 
 	Other Options:
@@ -2172,9 +2172,6 @@ DOC_START
 				Don't request client certificates
 				immediately, but wait until acl processing
 				requires a certificate (not yet implemented).
-			    NO_DEFAULT_CA
-				Don't use the default CA lists built in
-				to OpenSSL.
 			    NO_SESSION_REUSE
 				Don't allow for session reuse. Each connection
 				will result in a new SSL session.
@@ -2185,6 +2182,9 @@ DOC_START
 				Verify CRL lists for all certificates in the
 				client certificate chain.
 
+	   tls-no-default-ca
+			Do not use the system default Trusted CA.
+
 	   sslcontext=	SSL session ID context identifier.
 
 	   generate-host-certificates[=<on|off>]
@@ -2664,13 +2664,12 @@ DOC_START
 			DONT_VERIFY_PEER
 				Accept certificates even if they fail to
 				verify.
-			NO_DEFAULT_CA
-				Don't use the default CA list built in
-				to OpenSSL.
 			DONT_VERIFY_DOMAIN
 				Don't verify the peer certificate
 				matches the server name
 	
+	no-default-ca	Do not use the system default Trusted CA.
+	
 	domain= 	The peer name as advertised in its certificate.
 			Used for verifying the correctness of the received peer
 			certificate. If not specified the peer hostname will be
@@ -3403,10 +3402,6 @@ DOC_START
 				Accept certificates even if they fail to
 				verify.
 
-			NO_DEFAULT_CA
-				Don't use the default CA list built in
-				to OpenSSL.
-
 			DONT_VERIFY_DOMAIN
 				Don't verify the peer certificate
 				matches the server name
@@ -3422,7 +3417,9 @@ DOC_START
 			See MS KB document Q307347 for details on this header.
 			If set to auto the header will only be added if the
 			request is forwarded as a https:// URL.
-	
+
+	tls-no-default-ca
+			Do not use the system default Trusted CA.	
 	
 	==== GENERAL OPTIONS ====
 	
@@ -8555,7 +8552,7 @@ DOC_START
 			the icap server certificate.
 			Use to specify intermediate CA certificate(s) if not sent
 			by the server. Or the full CA chain for the server when
-			using the NO_DEFAULT_CA flag.
+			using the tls-no-default-ca flag.
 			May be repeated to load multiple files.
 
 	tls-capath=...	A directory containing additional CA certificates to
@@ -8570,13 +8567,13 @@ DOC_START
 			DONT_VERIFY_PEER
 				Accept certificates even if they fail to
 				verify.
-			NO_DEFAULT_CA
-				Don't use the default CA list built into
-				OpenSSL.
 			DONT_VERIFY_DOMAIN
 				Don't verify the icap server certificate
 				matches the server name
 
+	tls-no-default-ca
+			Do no use the system default Trusted CA.
+
 	tls-domain=	The icap server name as advertised in it's certificate.
 			Used for verifying the correctness of the received icap
 			server certificate. If not specified the icap server
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index a249090484..310f2e2821 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -38,6 +38,7 @@ Security::PeerOptions::PeerOptions(const Security::PeerOptions &p) :
     sslVersion(p.sslVersion),
     encryptTransport(p.encryptTransport)
 {
+    memcpy(&flags, &p.flags, sizeof(flags));
 }
 
 void
@@ -453,7 +454,11 @@ Security::PeerOptions::parseFlags()
         }
         if (!found)
             fatalf("Unknown TLS flag '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining()));
-        fl |= found;
+        if (found == SSL_FLAG_NO_DEFAULT_CA) {
+            debugs(83, DBG_PARSE_NOTE(2), "UPGRADE WARNING: flags=NO_DEFAULT_CA is deprecated. Use tls-no-default-ca instead.");
+            flags.noDefaultCa = true;
+        } else
+            fl |= found;
     } while (tok.skipOne(delims));
 
     return fl;
@@ -500,7 +505,7 @@ Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx)
 #endif
     }
 
-    if ((parsedFlags & SSL_FLAG_NO_DEFAULT_CA))
+    if (flags.noDefaultCa)
         return;
 
 #if USE_OPENSSL
diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
index 5e78cc7292..d3ac657d16 100644
--- a/src/security/PeerOptions.h
+++ b/src/security/PeerOptions.h
@@ -73,6 +73,14 @@ public:
 private:
     int sslVersion;
 
+    /// flags governing Squid internal TLS operations
+    struct flags_ {
+        flags_() : noDefaultCa(false) {}
+
+        /// do not use the system default Trusted CA when verifying the remote end certificate
+        bool noDefaultCa;
+    } flags;
+
 public:
     /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
     bool encryptTransport;
-- 
2.47.3