ServerOptions.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 #include "anyp/PortCfg.h"
11 #include "base/IoManip.h"
12 #include "base/Packable.h"
13 #include "cache_cf.h"
14 #include "error/SysErrorDetail.h"
15 #include "fatal.h"
16 #include "globals.h"
17 #include "security/ServerOptions.h"
18 #include "security/Session.h"
19 #include "SquidConfig.h"
20 #if USE_OPENSSL
21 #include "compat/openssl.h"
22 #include "ssl/support.h"
23 
24 #if HAVE_OPENSSL_DECODER_H
25 #include <openssl/decoder.h>
26 #endif
27 #if HAVE_OPENSSL_ERR_H
28 #include <openssl/err.h>
29 #endif
30 #endif
31 
32 #include <limits>
33 
34 Security::ServerOptions &
35 Security::ServerOptions::operator =(const Security::ServerOptions &old) {
36  if (this != &old) {
37  Security::PeerOptions::operator =(old);
38  clientCaFile = old.clientCaFile;
39  dh = old.dh;
40  dhParamsFile = old.dhParamsFile;
41  eecdhCurve = old.eecdhCurve;
42  parsedDhParams = old.parsedDhParams;
43 #if USE_OPENSSL
44  if (auto *stk = SSL_dup_CA_list(old.clientCaStack.get()))
45  clientCaStack = Security::ServerOptions::X509_NAME_STACK_Pointer(stk);
46  else
47 #endif
48  clientCaStack = nullptr;
49 
50  staticContextSessionId = old.staticContextSessionId;
51  generateHostCertificates = old.generateHostCertificates;
52  signingCa = old.signingCa;
53  untrustedSigningCa = old.untrustedSigningCa;
54  dynamicCertMemCacheSize = old.dynamicCertMemCacheSize;
55  }
56  return *this;
57 }
58 
59 void
60 Security::ServerOptions::parse(const char *token)
61 {
62  if (!*token) {
63  // config says just "ssl" or "tls" (or "tls-")
64  encryptTransport = true;
65  return;
66  }
67 
68  // parse the server-only options
69  if (strncmp(token, "clientca=", 9) == 0) {
70  clientCaFile = SBuf(token + 9);
71  } else if (strncmp(token, "dh=", 3) == 0) {
72  // clear any previous Diffi-Helman configuration
73  dh.clear();
74  dhParamsFile.clear();
75  eecdhCurve.clear();
76 
77  dh.append(token + 3);
78 
79  if (!dh.isEmpty()) {
80  auto pos = dh.find(':');
81  if (pos != SBuf::npos) { // tls-dh=eecdhCurve:dhParamsFile
82  eecdhCurve = dh.substr(0,pos);
83  dhParamsFile = dh.substr(pos+1);
84  } else { // tls-dh=dhParamsFile
85  dhParamsFile = dh;
86  // empty eecdhCurve means "do not use EECDH"
87  }
88  }
89 
90  loadDhParams();
91 
92  } else if (strncmp(token, "dhparams=", 9) == 0) {
93  if (!eecdhCurve.isEmpty()) {
94  debugs(83, DBG_PARSE_NOTE(1), "WARNING: UPGRADE: EECDH settings in tls-dh= override dhparams=");
95  return;
96  }
97 
98  // backward compatibility for dhparams= configuration
99  dh.clear();
100  dh.append(token + 9);
101  dhParamsFile = dh;
102 
103  loadDhParams();
104 
105  } else if (strncmp(token, "dynamic_cert_mem_cache_size=", 28) == 0) {
106  parseBytesOptionValue(&dynamicCertMemCacheSize, "bytes", token + 28);
107  // XXX: parseBytesOptionValue() self_destruct()s on invalid values,
108  // probably making this comparison and misleading ERROR unnecessary.
109  if (dynamicCertMemCacheSize == std::numeric_limits<size_t>::max()) {
110  debugs(3, DBG_CRITICAL, "ERROR: Cannot allocate memory for '" << token << "'. Using default of 4MB instead.");
111  dynamicCertMemCacheSize = 4*1024*1024; // 4 MB
112  }
113 
114  } else if (strcmp(token, "generate-host-certificates") == 0) {
115  generateHostCertificates = true;
116  } else if (strcmp(token, "generate-host-certificates=on") == 0) {
117  generateHostCertificates = true;
118  } else if (strcmp(token, "generate-host-certificates=off") == 0) {
119  generateHostCertificates = false;
120 
121  } else if (strncmp(token, "context=", 8) == 0) {
122 #if USE_OPENSSL
123  staticContextSessionId = SBuf(token+8);
124  // to hide its arguably sensitive value, do not print token in these debugs
125  if (staticContextSessionId.length() > SSL_MAX_SSL_SESSION_ID_LENGTH) {
126  debugs(83, DBG_CRITICAL, "FATAL: Option 'context=' value is too long. Maximum " << SSL_MAX_SSL_SESSION_ID_LENGTH << " characters.");
127  self_destruct();
128  }
129 #else
130  debugs(83, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: Option 'context=' requires --with-openssl. Ignoring.");
131 #endif
132 
133  } else {
134  // parse generic TLS options
135  Security::PeerOptions::parse(token);
136  }
137 }
138 
139 void
140 Security::ServerOptions::dumpCfg(std::ostream &os, const char *pfx) const
141 {
142  // dump out the generic TLS options
143  Security::PeerOptions::dumpCfg(os, pfx);
144 
145  if (!encryptTransport)
146  return; // no other settings are relevant
147 
148  // dump the server-only options
149  if (!dh.isEmpty())
150  os << ' ' << pfx << "dh=" << dh;
151 
152  if (!generateHostCertificates)
153  os << ' ' << pfx << "generate-host-certificates=off";
154 
155  if (dynamicCertMemCacheSize != 4*1024*1024) // 4MB default, no 'tls-' prefix
156  os << ' ' << "dynamic_cert_mem_cache_size=" << dynamicCertMemCacheSize << "bytes";
157 
158  if (!staticContextSessionId.isEmpty())
159  os << ' ' << pfx << "context=" << staticContextSessionId;
160 }
161 
162 Security::ContextPointer
163 Security::ServerOptions::createBlankContext() const
164 {
165  Security::ContextPointer ctx;
166 #if USE_OPENSSL
167  Ssl::Initialize();
168 
169  SSL_CTX *t = SSL_CTX_new(TLS_server_method());
170  if (!t) {
171  const auto x = ERR_get_error();
172  debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << Security::ErrorString(x));
173  }
174  ctx = convertContextFromRawPtr(t);
175 
176 #elif HAVE_LIBGNUTLS
177  // Initialize for X.509 certificate exchange
178  gnutls_certificate_credentials_t t;
179  if (const auto x = gnutls_certificate_allocate_credentials(&t)) {
180  debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << Security::ErrorString(x));
181  }
182  ctx = convertContextFromRawPtr(t);
183 
184 #else
185  debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: No TLS library");
186 
187 #endif
188 
189  return ctx;
190 }
191 
192 void
193 Security::ServerOptions::initServerContexts(AnyP::PortCfg &port)
194 {
195  const char *portType = AnyP::ProtocolType_str[port.transport.protocol];
196  for (auto &keyData : certs) {
197  keyData.loadFromFiles(port, portType);
198  }
199 
200  if (generateHostCertificates) {
201  createSigningContexts(port);
202  }
203 
204  if (!certs.empty() && !createStaticServerContext(port)) {
205  char buf[128];
206  fatalf("%s_port %s initialization error", portType, port.s.toUrl(buf, sizeof(buf)));
207  }
208 
209  // if generate-host-certificates=off and certs is empty, no contexts may be created.
210  // features depending on contexts do their own checks and error messages later.
211 }
212 
213 bool
214 Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &)
215 {
216  updateTlsVersionLimits();
217 
218  Security::ContextPointer t(createBlankContext());
219  if (t) {
220 
221 #if USE_OPENSSL
222  if (certs.size() > 1) {
223  // NOTE: calling SSL_CTX_use_certificate() repeatedly _replaces_ the previous cert details.
224  // so we cannot use it and support multiple server certificates with OpenSSL.
225  debugs(83, DBG_CRITICAL, "ERROR: OpenSSL does not support multiple server certificates. Ignoring additional cert= parameters.");
226  }
227 
228  const auto &keys = certs.front();
229 
230  if (!SSL_CTX_use_certificate(t.get(), keys.cert.get())) {
231  const auto x = ERR_get_error();
232  debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire TLS certificate '" << keys.certFile << "': " << Security::ErrorString(x));
233  return false;
234  }
235 
236  if (!SSL_CTX_use_PrivateKey(t.get(), keys.pkey.get())) {
237  const auto x = ERR_get_error();
238  debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire TLS private key '" << keys.privateKeyFile << "': " << Security::ErrorString(x));
239  return false;
240  }
241 
242  for (auto cert : keys.chain) {
243  if (SSL_CTX_add_extra_chain_cert(t.get(), cert.get())) {
244  // increase the certificate lock
245  X509_up_ref(cert.get());
246  } else {
247  const auto error = ERR_get_error();
248  debugs(83, DBG_IMPORTANT, "WARNING: can not add certificate to SSL context chain: " << Security::ErrorString(error));
249  }
250  }
251 
252 #elif HAVE_LIBGNUTLS
253  for (auto &keys : certs) {
254  gnutls_x509_crt_t crt = keys.cert.get();
255  gnutls_x509_privkey_t xkey = keys.pkey.get();
256  const auto x = gnutls_certificate_set_x509_key(t.get(), &crt, 1, xkey);
257  if (x != GNUTLS_E_SUCCESS) {
258  SBuf whichFile = keys.certFile;
259  if (keys.certFile != keys.privateKeyFile) {
260  whichFile.appendf(" and ");
261  whichFile.append(keys.privateKeyFile);
262  }
263  debugs(83, DBG_CRITICAL, "ERROR: Failed to initialize server context with keys from " << whichFile << ": " << Security::ErrorString(x));
264  return false;
265  }
266  // XXX: add cert chain to the context
267  }
268 #endif
269 
270  if (!loadClientCaFile())
271  return false;
272 
273  // by this point all config related files must be loaded
274  if (!updateContextConfig(t)) {
275  debugs(83, DBG_CRITICAL, "ERROR: Configuring static TLS context");
276  return false;
277  }
278  }
279 
280  staticContext = std::move(t);
281  return bool(staticContext);
282 }
283 
284 void
285 Security::ServerOptions::createSigningContexts(const AnyP::PortCfg &port)
286 {
287  // For signing we do not have a pre-initialized context object. Instead
288  // contexts are generated as needed. This method initializes the cert
289  // and key pointers used to sign those contexts later.
290 
291  signingCa = certs.front();
292 
293  const char *portType = AnyP::ProtocolType_str[port.transport.protocol];
294  if (!signingCa.cert) {
295  char buf[128];
296  // XXX: we never actually checked that the cert is capable of signing!
297  fatalf("No valid signing certificate configured for %s_port %s", portType, port.s.toUrl(buf, sizeof(buf)));
298  }
299 
300  if (!signingCa.pkey)
301  debugs(3, DBG_IMPORTANT, "No TLS private key configured for " << portType << "_port " << port.s);
302 
303 #if USE_OPENSSL
304  Ssl::generateUntrustedCert(untrustedSigningCa.cert, untrustedSigningCa.pkey, signingCa.cert, signingCa.pkey);
305 #elif HAVE_LIBGNUTLS
306  // TODO: implement for GnuTLS. Just a warning for now since generate is implicitly on for all crypto builds.
307  signingCa.cert.reset();
308  signingCa.pkey.reset();
309  debugs(83, DBG_CRITICAL, "WARNING: Dynamic TLS certificate generation requires --with-openssl.");
310  return;
311 #else
312  debugs(83, DBG_CRITICAL, "ERROR: Dynamic TLS certificate generation requires --with-openssl.");
313  return;
314 #endif
315 
316  if (!untrustedSigningCa.cert) {
317  char buf[128];
318  fatalf("Unable to generate signing certificate for untrusted sites for %s_port %s", portType, port.s.toUrl(buf, sizeof(buf)));
319  }
320 }
321 
322 void
323 Security::ServerOptions::syncCaFiles()
324 {
325  // if caFiles is set, just use that
326  if (caFiles.size())
327  return;
328 
329  // otherwise fall back to clientca if it is defined
330  if (!clientCaFile.isEmpty())
331  caFiles.emplace_back(clientCaFile);
332 }
333 
337 bool
338 Security::ServerOptions::loadClientCaFile()
339 {
340  if (clientCaFile.isEmpty())
341  return true;
342 
343 #if USE_OPENSSL
344  auto *stk = SSL_load_client_CA_file(clientCaFile.c_str());
345  clientCaStack = Security::ServerOptions::X509_NAME_STACK_Pointer(stk);
346 #endif
347  if (!clientCaStack) {
348  debugs(83, DBG_CRITICAL, "FATAL: Unable to read client CAs from file: " << clientCaFile);
349  }
350 
351  return bool(clientCaStack);
352 }
353 
354 void
355 Security::ServerOptions::loadDhParams()
356 {
357  if (dhParamsFile.isEmpty())
358  return;
359 
360  // TODO: After loading and validating parameters, also validate that "the
361  // public and private components have the correct mathematical
362  // relationship". See EVP_PKEY_check().
363 
364 #if USE_OPENSSL
365 #if OPENSSL_VERSION_MAJOR < 3
366  DH *dhp = nullptr;
367  if (FILE *in = fopen(dhParamsFile.c_str(), "r")) {
368  dhp = PEM_read_DHparams(in, nullptr, nullptr, nullptr);
369  fclose(in);
370  } else {
371  const auto xerrno = errno;
372  debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << ReportSysError(xerrno));
373  return;
374  }
375 
376  if (!dhp) {
377  debugs(83, DBG_IMPORTANT, "WARNING: Failed to read DH parameters '" << dhParamsFile << "'");
378  return;
379  }
380 
381  int codes;
382  if (DH_check(dhp, &codes) == 0) {
383  if (codes) {
384  debugs(83, DBG_IMPORTANT, "WARNING: Failed to verify DH parameters '" << dhParamsFile << "' (" << asHex(codes) << ")");
385  DH_free(dhp);
386  dhp = nullptr;
387  }
388  }
389 
390  parsedDhParams.resetWithoutLocking(dhp);
391 
392 #else // OpenSSL 3.0+
393  const auto type = eecdhCurve.isEmpty() ? "DH" : "EC";
394 
395  Ssl::ForgetErrors();
396  EVP_PKEY *rawPkey = nullptr;
397  using DecoderContext = std::unique_ptr<OSSL_DECODER_CTX, HardFun<void, OSSL_DECODER_CTX*, &OSSL_DECODER_CTX_free> >;
398  if (const DecoderContext dctx{OSSL_DECODER_CTX_new_for_pkey(&rawPkey, "PEM", nullptr, type, 0, nullptr, nullptr)}) {
399 
400  // OpenSSL documentation is vague on this, but OpenSSL code and our
401  // tests suggest that rawPkey remains nil here while rawCtx keeps
402  // rawPkey _address_ for use by the decoder (see OSSL_DECODER_from_fp()
403  // below). Thus, we must not move *rawPkey into a smart pointer until
404  // decoding is over. For cleanup code simplicity, we assert nil rawPkey.
405  assert(!rawPkey);
406 
407  if (OSSL_DECODER_CTX_get_num_decoders(dctx.get()) == 0) {
408  debugs(83, DBG_IMPORTANT, "WARNING: No suitable decoders found for " << type << " parameters" << Ssl::ReportAndForgetErrors);
409  return;
410  }
411 
412  if (const auto in = fopen(dhParamsFile.c_str(), "r")) {
413  if (OSSL_DECODER_from_fp(dctx.get(), in)) {
414  assert(rawPkey);
415  const Security::DhePointer pkey(rawPkey);
416  // TODO: verify that the loaded parameters match the curve named in eecdhCurve
417 
418  if (const Ssl::EVP_PKEY_CTX_Pointer pkeyCtx{EVP_PKEY_CTX_new_from_pkey(nullptr, pkey.get(), nullptr)}) {
419  switch (EVP_PKEY_param_check(pkeyCtx.get())) {
420  case 1: // success
421  parsedDhParams = pkey;
422  break;
423  case -2:
424  debugs(83, DBG_PARSE_NOTE(2), "WARNING: OpenSSL does not support " << type << " parameters check: " << dhParamsFile << Ssl::ReportAndForgetErrors);
425  break;
426  default:
427  debugs(83, DBG_IMPORTANT, "ERROR: Failed to verify " << type << " parameters in " << dhParamsFile << Ssl::ReportAndForgetErrors);
428  break;
429  }
430  } else {
431  // TODO: Reduce error reporting code duplication.
432  debugs(83, DBG_IMPORTANT, "ERROR: Cannot check " << type << " parameters in " << dhParamsFile << Ssl::ReportAndForgetErrors);
433  }
434  } else {
435  debugs(83, DBG_IMPORTANT, "WARNING: Failed to decode " << type << " parameters '" << dhParamsFile << "'" << Ssl::ReportAndForgetErrors);
436  EVP_PKEY_free(rawPkey); // probably still nil, but just in case
437  }
438  fclose(in);
439  } else {
440  const auto xerrno = errno;
441  debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << ReportSysError(xerrno));
442  }
443 
444  } else {
445  debugs(83, DBG_IMPORTANT, "WARNING: Unable to create decode context for " << type << " parameters" << Ssl::ReportAndForgetErrors);
446  return;
447  }
448 #endif
449 #endif // USE_OPENSSL
450 }
451 
452 bool
453 Security::ServerOptions::updateContextConfig(Security::ContextPointer &ctx)
454 {
455  updateContextOptions(ctx);
456  updateContextSessionId(ctx);
457 
458 #if USE_OPENSSL
459  if (parsedFlags & SSL_FLAG_NO_SESSION_REUSE) {
460  SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_OFF);
461  }
462 
463  if (Config.SSL.unclean_shutdown) {
464  debugs(83, 5, "Enabling quiet SSL shutdowns (RFC violation).");
465  SSL_CTX_set_quiet_shutdown(ctx.get(), 1);
466  }
467 
468  if (!sslCipher.isEmpty()) {
469  debugs(83, 5, "Using cipher suite " << sslCipher << ".");
470  if (!SSL_CTX_set_cipher_list(ctx.get(), sslCipher.c_str())) {
471  auto ssl_error = ERR_get_error();
472  debugs(83, DBG_CRITICAL, "ERROR: Failed to set SSL cipher suite '" << sslCipher << "': " << Security::ErrorString(ssl_error));
473  return false;
474  }
475  }
476 
477  Ssl::MaybeSetupRsaCallback(ctx);
478 #endif
479 
480  updateContextEecdh(ctx);
481  updateContextCa(ctx);
482  updateContextClientCa(ctx);
483 
484 #if USE_OPENSSL
485  SSL_CTX_set_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN);
486  if (parsedFlags & SSL_FLAG_DONT_VERIFY_DOMAIN)
487  SSL_CTX_set_ex_data(ctx.get(), ssl_ctx_ex_index_dont_verify_domain, (void *) -1);
488 
489  Security::SetSessionCacheCallbacks(ctx);
490 #endif
491  return true;
492 }
493 
494 void
495 Security::ServerOptions::updateContextClientCa(Security::ContextPointer &ctx)
496 {
497 #if USE_OPENSSL
498  if (clientCaStack) {
499  ERR_clear_error();
500  if (STACK_OF(X509_NAME) *clientca = SSL_dup_CA_list(clientCaStack.get())) {
501  SSL_CTX_set_client_CA_list(ctx.get(), clientca);
502  } else {
503  auto ssl_error = ERR_get_error();
504  debugs(83, DBG_CRITICAL, "ERROR: Failed to dupe the client CA list: " << Security::ErrorString(ssl_error));
505  return;
506  }
507 
508  Ssl::ConfigurePeerVerification(ctx, parsedFlags);
509 
510  updateContextCrl(ctx);
511  updateContextTrust(ctx);
512 
513  } else {
514  Ssl::DisablePeerVerification(ctx);
515  }
516 #else
517  (void)ctx;
518 #endif
519 }
520 
521 void
522 Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
523 {
524  // set Elliptic Curve details into the server context
525  if (!eecdhCurve.isEmpty()) {
526  debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << ".");
527 
528 #if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
529 
530  Ssl::ForgetErrors();
531 
532  int nid = OBJ_sn2nid(eecdhCurve.c_str());
533  if (!nid) {
534  debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'");
535  return;
536  }
537 
538 #if OPENSSL_VERSION_MAJOR < 3
539  auto ecdh = EC_KEY_new_by_curve_name(nid);
540  if (!ecdh) {
541  const auto x = ERR_get_error();
542  debugs(83, DBG_CRITICAL, "ERROR: Unable to configure Ephemeral ECDH: " << Security::ErrorString(x));
543  return;
544  }
545 
546  if (!SSL_CTX_set_tmp_ecdh(ctx.get(), ecdh)) {
547  const auto x = ERR_get_error();
548  debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(x));
549  }
550  EC_KEY_free(ecdh);
551 
552 #else
553  // TODO: Support multiple group names via SSL_CTX_set1_groups_list().
554  if (!SSL_CTX_set1_groups(ctx.get(), &nid, 1)) {
555  debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Ssl::ReportAndForgetErrors);
556  return;
557  }
558 #endif
559 #else
560  debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." <<
561  " Please link against OpenSSL>=0.9.8 and ensure OPENSSL_NO_ECDH is not set.");
562  (void)ctx;
563 #endif
564  }
565 
566  // set DH parameters into the server context
567 #if USE_OPENSSL
568  if (parsedDhParams) {
569  SSL_CTX_set_tmp_dh(ctx.get(), parsedDhParams.get());
570  }
571 #endif
572 }
573 
574 void
575 Security::ServerOptions::updateContextSessionId(Security::ContextPointer &ctx)
576 {
577 #if USE_OPENSSL
578  if (!staticContextSessionId.isEmpty())
579  SSL_CTX_set_session_id_context(ctx.get(), reinterpret_cast<const unsigned char*>(staticContextSessionId.rawContent()), staticContextSessionId.length());
580 #else
581  (void)ctx;
582 #endif
583 }
584 
Security::ServerOptions::updateContextConfig
bool updateContextConfig(Security::ContextPointer &)
update the given TLS security context using squid.conf settings
Definition: ServerOptions.cc:453
SSL_FLAG_DONT_VERIFY_DOMAIN
#define SSL_FLAG_DONT_VERIFY_DOMAIN
Definition: forward.h:56
Ssl::Initialize
void Initialize()
Definition: support.cc:742
Security::ServerOptions::parse
void parse(const char *) override
parse a TLS squid.conf option
Definition: ServerOptions.cc:60
Security::ServerOptions::X509_NAME_STACK_Pointer
std::unique_ptr< STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper > X509_NAME_STACK_Pointer
Definition: ServerOptions.h:30
DBG_CRITICAL
#define DBG_CRITICAL
Definition: Stream.h:37
Ssl::generateUntrustedCert
bool generateUntrustedCert(Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
Definition: support.cc:1458
Security::ContextPointer
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
Ssl::MaybeSetupRsaCallback
void MaybeSetupRsaCallback(Security::ContextPointer &)
if required, setup callback for generating ephemeral RSA keys
Definition: support.cc:233
Security::ServerOptions::createStaticServerContext
bool createStaticServerContext(AnyP::PortCfg &)
Definition: ServerOptions.cc:214
Security::ServerOptions::createSigningContexts
void createSigningContexts(const AnyP::PortCfg &)
Definition: ServerOptions.cc:285
error
void error(char *format,...)
AnyP::ProtocolType_str
const char * ProtocolType_str[]
Security::ServerOptions::parsedDhParams
Security::DhePointer parsedDhParams
DH parameters for temporary/ephemeral DH key exchanges.
Definition: ServerOptions.h:119
SBuf
Definition: SBuf.h:93
ReportSysError
a stream manipulator for printing a system call error (if any)
Definition: SysErrorDetail.h:43
max
const A & max(A const &lhs, A const &rhs)
Definition: compat_shared.h:124
parseBytesOptionValue
void parseBytesOptionValue(size_t *bptr, const char *units, char const *value)
Parse bytes number from a string.
Definition: cache_cf.cc:1395
Security::ServerOptions::dumpCfg
void dumpCfg(std::ostream &, const char *pfx) const override
output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
Definition: ServerOptions.cc:140
cache_cf.h
Security::PeerOptions::operator=
PeerOptions & operator=(const PeerOptions &)=default
port
static int port
Definition: ldap_backend.cc:70
self_destruct
void self_destruct(void)
Definition: cache_cf.cc:276
Security::ServerOptions::generateHostCertificates
bool generateHostCertificates
dynamically make host cert
Definition: ServerOptions.h:75
Ssl::ReportAndForgetErrors
std::ostream & ReportAndForgetErrors(std::ostream &)
Definition: gadgets.cc:36
Security::ServerOptions::dynamicCertMemCacheSize
size_t dynamicCertMemCacheSize
max size of generated certificates memory cache (4 MB default)
Definition: ServerOptions.h:91
Security::ServerOptions::dhParamsFile
SBuf dhParamsFile
Diffi-Helman ciphers parameter file.
Definition: ServerOptions.h:116
keys
static char * keys[]
Definition: windows_service.cc:84
DBG_PARSE_NOTE
#define DBG_PARSE_NOTE(x)
Definition: Stream.h:42
Security::ServerOptions::updateContextSessionId
void updateContextSessionId(Security::ContextPointer &)
update the context with a configured session ID (if any)
Definition: ServerOptions.cc:575
Security::ServerOptions::updateContextClientCa
void updateContextClientCa(Security::ContextPointer &)
update the context with CA details used to verify client certificates
Definition: ServerOptions.cc:495
SSL_FLAG_NO_SESSION_REUSE
#define SSL_FLAG_NO_SESSION_REUSE
Definition: forward.h:57
asHex
AsHex< Integer > asHex(const Integer n)
a helper to ease AsHex object creation
Definition: IoManip.h:169
Security::ServerOptions::staticContextSessionId
SBuf staticContextSessionId
"session id context" for staticContext
Definition: ServerOptions.h:72
Security::SetSessionCacheCallbacks
void SetSessionCacheCallbacks(Security::ContextPointer &)
Setup the given TLS context with callbacks used to manage the session cache.
Definition: Session.cc:376
Security::ServerOptions::clientCaFile
SBuf clientCaFile
name of file to load client CAs from
Definition: ServerOptions.h:107
assert
#define assert(EX)
Definition: assert.h:17
Security::ServerOptions::updateContextEecdh
void updateContextEecdh(Security::ContextPointer &)
update the context with DH, EDH, EECDH settings
Definition: ServerOptions.cc:522
fatalf
void fatalf(const char *fmt,...)
Definition: fatal.cc:68
SquidConfig::unclean_shutdown
int unclean_shutdown
Definition: SquidConfig.h:487
Security::PeerOptions::dumpCfg
virtual void dumpCfg(std::ostream &, const char *pfx) const
output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
Definition: PeerOptions.cc:105
Security::ServerOptions::dh
SBuf dh
Diffi-Helman cipher config.
Definition: ServerOptions.h:115
TLS_server_method
#define TLS_server_method
Definition: openssl.h:200
SBuf::append
SBuf & append(const SBuf &S)
Definition: SBuf.cc:185
Security::ServerOptions::syncCaFiles
void syncCaFiles()
sync the various sources of CA files to be loaded
Definition: ServerOptions.cc:323
Security::ServerOptions::createBlankContext
Security::ContextPointer createBlankContext() const override
generate an unset security context object
Definition: ServerOptions.cc:163
SBuf::npos
static const size_type npos
Definition: SBuf.h:100
Security::ServerOptions
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:25
Security::ServerOptions::initServerContexts
void initServerContexts(AnyP::PortCfg &)
Definition: ServerOptions.cc:193
Ssl::DisablePeerVerification
void DisablePeerVerification(Security::ContextPointer &)
Definition: support.cc:523
Security::ServerOptions::untrustedSigningCa
Security::KeyData untrustedSigningCa
x509 certificate and key for signing untrusted generated certificates
Definition: ServerOptions.h:88
Ssl::ForgetErrors
void ForgetErrors()
Clear any errors accumulated by OpenSSL in its global storage.
Definition: gadgets.cc:19
DBG_IMPORTANT
#define DBG_IMPORTANT
Definition: Stream.h:38
Security::ServerOptions::eecdhCurve
SBuf eecdhCurve
Elliptic curve for ephemeral EC-based DH key exchanges.
Definition: ServerOptions.h:117
Ssl::EVP_PKEY_CTX_Pointer
std::unique_ptr< EVP_PKEY_CTX, HardFun< void, EVP_PKEY_CTX *, &EVP_PKEY_CTX_free > > EVP_PKEY_CTX_Pointer
Definition: gadgets.h:67
ssl_ctx_ex_index_dont_verify_domain
int ssl_ctx_ex_index_dont_verify_domain
Ssl::ConfigurePeerVerification
void ConfigurePeerVerification(Security::ContextPointer &, const Security::ParsedPortFlags)
set the certificate verify callback for a context
Definition: support.cc:496
Security::ServerOptions::operator=
ServerOptions & operator=(const ServerOptions &)
Definition: ServerOptions.cc:35
STACK_OF
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
Definition: openssl.h:237
SBuf::appendf
SBuf & appendf(const char *fmt,...) PRINTF_FORMAT_ARG2
Definition: SBuf.cc:229
Security::ErrorString
const char * ErrorString(const LibErrorCode code)
converts numeric LibErrorCode into a human-friendlier string
Definition: forward.h:152
debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:192
Security::ServerOptions::signingCa
Security::KeyData signingCa
x509 certificate and key for signing generated certificates
Definition: ServerOptions.h:87
SquidConfig::SSL
struct SquidConfig::@104 SSL
Security::LockingPointer::get
T * get() const
Returns raw and possibly nullptr pointer.
Definition: LockingPointer.h:103
Config
class SquidConfig Config
Definition: SquidConfig.cc:12
Security::PeerOptions::parse
virtual void parse(const char *)
parse a TLS squid.conf option
Definition: PeerOptions.cc:33
Security::ServerOptions::clientCaStack
X509_NAME_STACK_Pointer clientCaStack
CA certificate(s) to use when verifying client certificates.
Definition: ServerOptions.h:110

 

Introduction

Documentation

Support

Miscellaneous