#if USE_OPENSSL
if (!request->flags.pinned) {
- if ((serverConnection()->getPeer() && serverConnection()->getPeer()->secure.ssl) ||
+ if ((serverConnection()->getPeer() && serverConnection()->getPeer()->secure.encryptTransport) ||
(!serverConnection()->getPeer() && request->url.getScheme() == AnyP::PROTO_HTTPS) ||
request->flags.sslPeek) {
#if USE_OPENSSL
// Handle SSL peers.
- if (peer->secure.ssl) {
+ if (peer->secure.encryptTransport) {
typedef CommCbMemFunT<PeerPoolMgr, CommCloseCbParams> CloserDialer;
closer = JobCallback(48, 3, CloserDialer, this,
PeerPoolMgr::handleSecureClosure);
debugs(3, DBG_IMPORTANT, "Initializing https proxy context");
- // BUG: ssl_client.sslContext will leak on reconfigure when Config gets memset()
- // it makes more sense to create a context per outbound connection instead of this
Config.ssl_client.sslContext = Security::ProxyOutgoingConfig.createContext();
for (CachePeer *p = Config.peers; p != NULL; p = p->next) {
- if (p->secure.ssl) {
+
+ // default value for ssldomain= is the peer host/IP
+ if (p->secure.sslDomain.isEmpty())
+ p->secure.sslDomain = p->host;
+
+ if (p->secure.encryptTransport) {
debugs(3, DBG_IMPORTANT, "Initializing cache_peer " << p->name << " SSL context");
p->sslContext = p->secure.createContext();
}
#if !USE_OPENSSL
debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl");
#else
- p->secure.ssl = true;
+ p->secure.encryptTransport = true;
p->secure.parse(token+3);
#endif
options= Various SSL implementation options. The most important
being:
NO_SSLv3 Disallow the use of SSLv3
+
NO_TLSv1 Disallow the use of TLSv1.0
+
NO_TLSv1_1 Disallow the use of TLSv1.1
+
NO_TLSv1_2 Disallow the use of TLSv1.2
+
SINGLE_DH_USE Always create a new key when using
temporary/ephemeral DH key exchanges
+
+ SSL_OP_NO_TICKET
+ Disable use of RFC5077 session tickets.
+ Some servers may have problems
+ understanding the TLS extension due
+ to ambiguous specification in RFC4507.
+
ALL Enable various bug workarounds
suggested as "harmless" by OpenSSL
Be warned that this reduces SSL/TLS
ssloptions=... Specify various SSL implementation options:
NO_SSLv3 Disallow the use of SSLv3
+
NO_TLSv1 Disallow the use of TLSv1.0
+
NO_TLSv1_1 Disallow the use of TLSv1.1
+
NO_TLSv1_2 Disallow the use of TLSv1.2
+
SINGLE_DH_USE
Always create a new key when using
temporary/ephemeral DH key exchanges
+
+ SSL_OP_NO_TICKET
+ Disable use of RFC5077 session tickets.
+ Some servers may have problems
+ understanding the TLS extension due
+ to ambiguous specification in RFC4507.
+
ALL Enable various bug workarounds
suggested as "harmless" by OpenSSL
Be warned that this reduces SSL/TLS
DONT_VERIFY_PEER
Accept certificates even if they fail to
verify.
+
NO_DEFAULT_CA
Don't use the default CA list built in
to OpenSSL.
+
DONT_VERIFY_DOMAIN
Don't verify the peer certificate
matches the server name
{
if (strncmp(token, "cert=", 5) == 0) {
certFile = SBuf(token + 5);
+ if (privateKeyFile.isEmpty())
+ privateKeyFile = certFile;
} else if (strncmp(token, "key=", 4) == 0) {
privateKeyFile = SBuf(token + 4);
if (certFile.isEmpty()) {
{
Security::ContextPointer t = NULL;
- if (privateKeyFile.isEmpty())
- privateKeyFile = certFile;
-
#if USE_OPENSSL
+ // XXX: temporary performance regression. c_str() data copies and prevents this being a const method
t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslVersion, sslCipher.c_str(),
sslOptions.c_str(), sslFlags.c_str(), caFile.c_str(), caDir.c_str(), crlFile.c_str());
#endif
return t;
}
+
+void
+parse_securePeerOptions(Security::PeerOptions *opt)
+{
+ while(const char *token = ConfigParser::NextToken())
+ opt->parse(token);
+}
+
namespace Security
{
+/// TLS squid.conf settings for a remote server peer
class PeerOptions
{
public:
- PeerOptions() : ssl(false), sslVersion(0) {}
+ PeerOptions() : sslVersion(0), encryptTransport(false) {}
/// parse a TLS squid.conf option
void parse(const char *);
/// reset the configuration details to default
void clear() {*this = PeerOptions();}
- /// generate a security context from the configured options
+ /// generate a security context from these configured options
Security::ContextPointer createContext();
- bool ssl; ///< whether SSL is to be used on this connection
-
SBuf certFile; ///< path of file containing PEM format X509 certificate
SBuf privateKeyFile; ///< path of file containing private key in PEM format
SBuf sslOptions; ///< library-specific options string
SBuf caFile; ///< path of file containing trusted Certificate Authority
- SBuf caDir; ///< path of directory containign a set of trusted Certificate Authorities
+ SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities
SBuf crlFile; ///< path of file containing Certificate Revoke List
- int sslVersion;
SBuf sslCipher;
SBuf sslFlags;
SBuf sslDomain;
+
+ int sslVersion;
+
+ /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
+ bool encryptTransport;
};
/// configuration options for DIRECT server access
} // namespace Security
// parse the tls_outgoing_options directive
-inline void
-parse_securePeerOptions(Security::PeerOptions *opt)
-{
- while(const char *token = ConfigParser::NextToken()) {
- opt->parse(token);
- }
-}
-
+void parse_securePeerOptions(Security::PeerOptions *);
#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
#define dump_securePeerOptions(e,n,x) // not supported yet
const int fd = serverConnection()->fd;
if (peer) {
- assert(peer->secure.ssl);
+ assert(peer->secure.encryptTransport);
sslContext = peer->sslContext;
} else {
// XXX: locate a per-server context in Security:: instead
}
if (peer) {
- if (!peer->secure.sslDomain.isEmpty()) {
- // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
- SSL_set_ex_data(ssl, ssl_ex_index_server, const_cast<SBuf*>(&peer->secure.sslDomain));
- }
-#if NOT_YET
-
- else if (peer->name)
- SSL_set_ex_data(ssl, ssl_ex_index_server, peer->name);
+ // NP: domain may be a raw-IP but it is now always set
+ assert(!peer->secure.sslDomain.isEmpty());
-#endif
-#if WHEN_PEER_HOST_IS_SBUF
- else
- SSL_set_ex_data(ssl, ssl_ex_index_server, peer->host);
-#endif
+ // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
+ const char *host = const_cast<SBuf*>(&peer->secure.sslDomain)->c_str();
+ SSL_set_ex_data(ssl, ssl_ex_index_server, const_cast<char*>(host));
if (peer->sslSession)
SSL_set_session(ssl, peer->sslSession);
Security::PeerOptions Security::ProxyOutgoingConfig;
void Security::PeerOptions::parse(char const*) STUB
Security::ContextPointer Security::PeerOptions::createContext() STUB_RETVAL(NULL)
+void parse_securePeerOptions(Security::PeerOptions *) STUB
#if USE_OPENSSL
if (CachePeer *p = srv->getPeer()) {
- if (p->secure.ssl) {
+ if (p->secure.encryptTransport) {
AsyncCall::Pointer callback = asyncCall(5,4,
"TunnelStateData::ConnectedToPeer",
MyAnswerDialer(&TunnelStateData::connectedToPeer, this));
projects / thirdparty / squid.git / commitdiff
