From: Amos Jeffries Date: Sun, 8 Feb 2015 09:31:46 +0000 (-0800) Subject: Review updates X-Git-Tag: merge-candidate-3-v1~242^2~2 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=1f1f29e868d62ff1ae97569cbbb33a17c4e84807;p=thirdparty%2Fsquid.git Review updates --- diff --git a/src/FwdState.cc b/src/FwdState.cc index 60e74bc608..60c61e4d7c 100644 --- a/src/FwdState.cc +++ b/src/FwdState.cc @@ -683,7 +683,7 @@ FwdState::connectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, in #if USE_OPENSSL if (!request->flags.pinned) { - if ((serverConnection()->getPeer() && serverConnection()->getPeer()->secure.ssl) || + if ((serverConnection()->getPeer() && serverConnection()->getPeer()->secure.encryptTransport) || (!serverConnection()->getPeer() && request->url.getScheme() == AnyP::PROTO_HTTPS) || request->flags.sslPeek) { diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc index 21018f5888..80f4cfb9c3 100644 --- a/src/PeerPoolMgr.cc +++ b/src/PeerPoolMgr.cc @@ -113,7 +113,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) #if USE_OPENSSL // Handle SSL peers. - if (peer->secure.ssl) { + if (peer->secure.encryptTransport) { typedef CommCbMemFunT CloserDialer; closer = JobCallback(48, 3, CloserDialer, this, PeerPoolMgr::handleSecureClosure); diff --git a/src/cache_cf.cc b/src/cache_cf.cc index bd12f773a5..2eeb0593e4 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -885,12 +885,15 @@ configDoConfigure(void) debugs(3, DBG_IMPORTANT, "Initializing https proxy context"); - // BUG: ssl_client.sslContext will leak on reconfigure when Config gets memset() - // it makes more sense to create a context per outbound connection instead of this Config.ssl_client.sslContext = Security::ProxyOutgoingConfig.createContext(); for (CachePeer *p = Config.peers; p != NULL; p = p->next) { - if (p->secure.ssl) { + + // default value for ssldomain= is the peer host/IP + if (p->secure.sslDomain.isEmpty()) + p->secure.sslDomain = p->host; + + if (p->secure.encryptTransport) { debugs(3, DBG_IMPORTANT, "Initializing cache_peer " << p->name << " SSL context"); p->sslContext = p->secure.createContext(); } @@ -2288,7 +2291,7 @@ parse_peer(CachePeer ** head) #if !USE_OPENSSL debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl"); #else - p->secure.ssl = true; + p->secure.encryptTransport = true; p->secure.parse(token+3); #endif diff --git a/src/cf.data.pre b/src/cf.data.pre index f1ff5d70d2..5b8a8aaf71 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1808,11 +1808,22 @@ DOC_START options= Various SSL implementation options. The most important being: NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1.0 + NO_TLSv1_1 Disallow the use of TLSv1.1 + NO_TLSv1_2 Disallow the use of TLSv1.2 + SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges + + SSL_OP_NO_TICKET + Disable use of RFC5077 session tickets. + Some servers may have problems + understanding the TLS extension due + to ambiguous specification in RFC4507. + ALL Enable various bug workarounds suggested as "harmless" by OpenSSL Be warned that this reduces SSL/TLS @@ -3177,12 +3188,23 @@ DOC_START ssloptions=... Specify various SSL implementation options: NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1.0 + NO_TLSv1_1 Disallow the use of TLSv1.1 + NO_TLSv1_2 Disallow the use of TLSv1.2 + SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges + + SSL_OP_NO_TICKET + Disable use of RFC5077 session tickets. + Some servers may have problems + understanding the TLS extension due + to ambiguous specification in RFC4507. + ALL Enable various bug workarounds suggested as "harmless" by OpenSSL Be warned that this reduces SSL/TLS @@ -3205,9 +3227,11 @@ DOC_START DONT_VERIFY_PEER Accept certificates even if they fail to verify. + NO_DEFAULT_CA Don't use the default CA list built in to OpenSSL. + DONT_VERIFY_DOMAIN Don't verify the peer certificate matches the server name diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index 712f5a5896..863df0d9f6 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -23,6 +23,8 @@ Security::PeerOptions::parse(const char *token) { if (strncmp(token, "cert=", 5) == 0) { certFile = SBuf(token + 5); + if (privateKeyFile.isEmpty()) + privateKeyFile = certFile; } else if (strncmp(token, "key=", 4) == 0) { privateKeyFile = SBuf(token + 4); if (certFile.isEmpty()) { @@ -54,12 +56,18 @@ Security::PeerOptions::createContext() { Security::ContextPointer t = NULL; - if (privateKeyFile.isEmpty()) - privateKeyFile = certFile; - #if USE_OPENSSL + // XXX: temporary performance regression. c_str() data copies and prevents this being a const method t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslVersion, sslCipher.c_str(), sslOptions.c_str(), sslFlags.c_str(), caFile.c_str(), caDir.c_str(), crlFile.c_str()); #endif return t; } + +void +parse_securePeerOptions(Security::PeerOptions *opt) +{ + while(const char *token = ConfigParser::NextToken()) + opt->parse(token); +} + diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h index 4e35d41e49..d106e8476f 100644 --- a/src/security/PeerOptions.h +++ b/src/security/PeerOptions.h @@ -16,10 +16,11 @@ namespace Security { +/// TLS squid.conf settings for a remote server peer class PeerOptions { public: - PeerOptions() : ssl(false), sslVersion(0) {} + PeerOptions() : sslVersion(0), encryptTransport(false) {} /// parse a TLS squid.conf option void parse(const char *); @@ -27,22 +28,24 @@ public: /// reset the configuration details to default void clear() {*this = PeerOptions();} - /// generate a security context from the configured options + /// generate a security context from these configured options Security::ContextPointer createContext(); - bool ssl; ///< whether SSL is to be used on this connection - SBuf certFile; ///< path of file containing PEM format X509 certificate SBuf privateKeyFile; ///< path of file containing private key in PEM format SBuf sslOptions; ///< library-specific options string SBuf caFile; ///< path of file containing trusted Certificate Authority - SBuf caDir; ///< path of directory containign a set of trusted Certificate Authorities + SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities SBuf crlFile; ///< path of file containing Certificate Revoke List - int sslVersion; SBuf sslCipher; SBuf sslFlags; SBuf sslDomain; + + int sslVersion; + + /// whether transport encryption (TLS/SSL) is to be used on connections to the peer + bool encryptTransport; }; /// configuration options for DIRECT server access @@ -51,14 +54,7 @@ extern PeerOptions ProxyOutgoingConfig; } // namespace Security // parse the tls_outgoing_options directive -inline void -parse_securePeerOptions(Security::PeerOptions *opt) -{ - while(const char *token = ConfigParser::NextToken()) { - opt->parse(token); - } -} - +void parse_securePeerOptions(Security::PeerOptions *); #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear() #define dump_securePeerOptions(e,n,x) // not supported yet diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc index 10e2b865b5..736c0bac03 100644 --- a/src/ssl/PeerConnector.cc +++ b/src/ssl/PeerConnector.cc @@ -111,7 +111,7 @@ Ssl::PeerConnector::initializeSsl() const int fd = serverConnection()->fd; if (peer) { - assert(peer->secure.ssl); + assert(peer->secure.encryptTransport); sslContext = peer->sslContext; } else { // XXX: locate a per-server context in Security:: instead @@ -130,20 +130,12 @@ Ssl::PeerConnector::initializeSsl() } if (peer) { - if (!peer->secure.sslDomain.isEmpty()) { - // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor - SSL_set_ex_data(ssl, ssl_ex_index_server, const_cast(&peer->secure.sslDomain)); - } -#if NOT_YET - - else if (peer->name) - SSL_set_ex_data(ssl, ssl_ex_index_server, peer->name); + // NP: domain may be a raw-IP but it is now always set + assert(!peer->secure.sslDomain.isEmpty()); -#endif -#if WHEN_PEER_HOST_IS_SBUF - else - SSL_set_ex_data(ssl, ssl_ex_index_server, peer->host); -#endif + // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor + const char *host = const_cast(&peer->secure.sslDomain)->c_str(); + SSL_set_ex_data(ssl, ssl_ex_index_server, const_cast(host)); if (peer->sslSession) SSL_set_session(ssl, peer->sslSession); diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc index 51635edfba..823596a7aa 100644 --- a/src/tests/stub_libsecurity.cc +++ b/src/tests/stub_libsecurity.cc @@ -15,3 +15,4 @@ Security::PeerOptions Security::ProxyOutgoingConfig; void Security::PeerOptions::parse(char const*) STUB Security::ContextPointer Security::PeerOptions::createContext() STUB_RETVAL(NULL) +void parse_securePeerOptions(Security::PeerOptions *) STUB diff --git a/src/tunnel.cc b/src/tunnel.cc index af829a613d..4ef5a61a7c 100644 --- a/src/tunnel.cc +++ b/src/tunnel.cc @@ -953,7 +953,7 @@ TunnelStateData::connectToPeer() #if USE_OPENSSL if (CachePeer *p = srv->getPeer()) { - if (p->secure.ssl) { + if (p->secure.encryptTransport) { AsyncCall::Pointer callback = asyncCall(5,4, "TunnelStateData::ConnectedToPeer", MyAnswerDialer(&TunnelStateData::connectedToPeer, this));