Modules | |
| Server-Side SSL Internals | |
Typedefs | |
| typedef const char * | Ssl::GETX509ATTRIBUTE(X509 *, const char *) |
Enumerations | |
| enum | Ssl::BumpMode { Ssl::bumpNone = 0, Ssl::bumpClientFirst, Ssl::bumpServerFirst, Ssl::bumpPeek, Ssl::bumpStare, Ssl::bumpBump, Ssl::bumpSplice, Ssl::bumpTerminate, Ssl::bumpEnd } |
Detailed Description
Typedef Documentation
◆ GETX509ATTRIBUTE
| typedef const char* Ssl::GETX509ATTRIBUTE(X509 *, const char *) |
Enumeration Type Documentation
◆ BumpMode
| enum Ssl::BumpMode |
Function Documentation
◆ asn1timeToString()
Convert a given ASN1_TIME to a string form.
- Parameters
-
tm the time in ASN1_TIME form buf the buffer to write the output len write at most len bytes
- Returns
- The number of bytes written
Definition at line 243 of file support.cc.
Referenced by Security::ErrorDetail::printNotAfter(), Security::ErrorDetail::printNotBefore(), and STUB_RETVAL().
◆ BIO_new_SBuf()
| BIO * Ssl::BIO_new_SBuf | ( | SBuf * | buf | ) |
Creates and returns an OpenSSL BIO object for writing to buf (or throws). TODO: Add support for reading from buf.
Definition at line 1558 of file support.cc.
References bio_sbuf_create(), bio_sbuf_ctrl(), bio_sbuf_destroy(), bio_sbuf_puts(), bio_sbuf_write(), BIO_set_data(), BIO_set_init(), Must, and NULL.
Referenced by Ssl::InRamCertificateDbKey().
◆ bumpMode()
|
inline |
Return the short name of the ssl-bump mode "bm"
Definition at line 144 of file support.h.
References Ssl::bumpEnd, and Ssl::BumpModeStr.
Referenced by applyTlsDetailsToSSL(), Format::Format::assemble(), httpsSslBumpAccessCheckDone(), ClientRequestContext::sslBumpAccessCheck(), ClientRequestContext::sslBumpAccessCheckDone(), ClientHttpRequest::sslBumpNeed(), and ClientHttpRequest::sslBumpStart().
◆ CertificatesCmp()
| bool Ssl::CertificatesCmp | ( | const Security::CertPointer & | cert1, |
| const Security::CertPointer & | cert2 | ||
| ) |
- Returns
- whether both certificates exist and are the same (e.g., have identical ASN.1 images)
Definition at line 1038 of file gadgets.cc.
References Security::LockingPointer< T, UnLocker, Locker >::get().
Referenced by Ssl::CertificateDb::pure_find().
◆ chainCertificatesToSSLContext()
| void Ssl::chainCertificatesToSSLContext | ( | Security::ContextPointer & | ctx, |
| Security::ServerOptions & | options | ||
| ) |
Chain signing certificate and chained certificates to an SSL Context
Definition at line 1061 of file support.cc.
References assert, Security::KeyData::cert, Security::KeyData::chain, DBG_IMPORTANT, debugs, error(), Security::ErrorString(), Security::LockingPointer< T, UnLocker, Locker >::get(), and Security::ServerOptions::signingCa.
Referenced by Ssl::configureUnconfiguredSslContext(), Ssl::GenerateSslContext(), and Ssl::GenerateSslContextUsingPkeyAndCertFromMemory().
◆ CommonHostName()
| const char * Ssl::CommonHostName | ( | X509 * | x509 | ) |
Returns CN from the certificate, suitable for use as a host name. Uses static memory to temporary store the extracted name.
Definition at line 1027 of file gadgets.cc.
References getSubjectEntry().
Referenced by Ssl::certificateMatchesProperties(), Ssl::generateUntrustedCert(), Ssl::PeekingPeerConnector::noteNegotiationDone(), and Ssl::PeekingPeerConnector::serverCertificateVerified().
◆ configureSSL()
| bool Ssl::configureSSL | ( | SSL * | ssl, |
| CertificateProperties const & | properties, | ||
| AnyP::PortCfg & | port | ||
| ) |
Generates a certificate and a private key using provided properties and set it to SSL object.
Definition at line 1093 of file support.cc.
References Ssl::generateSslCertificate(), and Security::LockingPointer< T, UnLocker, Locker >::get().
Referenced by ConnStateData::getSslContextStart().
◆ configureSSLUsingPkeyAndCertFromMemory()
| bool Ssl::configureSSLUsingPkeyAndCertFromMemory | ( | SSL * | ssl, |
| const char * | data, | ||
| AnyP::PortCfg & | port | ||
| ) |
Read private key and certificate from memory and set it to SSL object using their.
Definition at line 1116 of file support.cc.
References Security::LockingPointer< T, UnLocker, Locker >::get(), and Ssl::readCertAndPrivateKeyFromMemory().
Referenced by ConnStateData::sslCrtdHandleReply().
◆ configureUnconfiguredSslContext()
| void Ssl::configureUnconfiguredSslContext | ( | Security::ContextPointer & | ctx, |
| Ssl::CertSignAlgorithm | signAlgorithm, | ||
| AnyP::PortCfg & | port | ||
| ) |
Configure a previously unconfigured SSL context object.
Definition at line 1086 of file support.cc.
References Ssl::algSignTrusted, Ssl::chainCertificatesToSSLContext(), and port.
Referenced by ConnStateData::getSslContextStart(), and ConnStateData::sslCrtdHandleReply().
◆ createSSLContext()
| Security::ContextPointer Ssl::createSSLContext | ( | Security::CertPointer & | x509, |
| Security::PrivateKeyPointer & | pkey, | ||
| Security::ServerOptions & | options | ||
| ) |
Create an SSL context using the provided certificate and key
Definition at line 1016 of file support.cc.
References Security::ServerOptions::createBlankContext(), Security::LockingPointer< T, UnLocker, Locker >::get(), and Security::ServerOptions::updateContextConfig().
Referenced by Ssl::GenerateSslContext(), Ssl::GenerateSslContextUsingPkeyAndCertFromMemory(), and ConnStateData::startPeekAndSplice().
◆ GenerateSslContext()
| Security::ContextPointer Ssl::GenerateSslContext | ( | CertificateProperties const & | properties, |
| Security::ServerOptions & | options, | ||
| bool | trusted | ||
| ) |
Decide on the kind of certificate and generate a CA- or self-signed one
Definition at line 1047 of file support.cc.
References Ssl::chainCertificatesToSSLContext(), Ssl::createSSLContext(), and Ssl::generateSslCertificate().
Referenced by ConnStateData::getSslContextStart(), and STUB_RETVAL().
◆ GenerateSslContextUsingPkeyAndCertFromMemory()
| Security::ContextPointer Ssl::GenerateSslContextUsingPkeyAndCertFromMemory | ( | const char * | data, |
| Security::ServerOptions & | options, | ||
| bool | trusted | ||
| ) |
Read private key and certificate from memory and generate SSL context using their.
Definition at line 1033 of file support.cc.
References Ssl::chainCertificatesToSSLContext(), Ssl::createSSLContext(), and Ssl::readCertAndPrivateKeyFromMemory().
Referenced by ConnStateData::sslCrtdHandleReply(), and STUB_RETVAL().
◆ generateUntrustedCert()
| bool Ssl::generateUntrustedCert | ( | Security::CertPointer & | untrustedCert, |
| Security::PrivateKeyPointer & | untrustedPkey, | ||
| Security::CertPointer const & | cert, | ||
| Security::PrivateKeyPointer const & | pkey | ||
| ) |
Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
Definition at line 1458 of file support.cc.
References Ssl::algSignSelf, Ssl::CommonHostName(), Ssl::CertificateProperties::commonName, Ssl::generateSslCertificate(), Security::LockingPointer< T, UnLocker, Locker >::get(), Ssl::getOrganization(), Ssl::CertificateProperties::mimicCert, Security::LockingPointer< T, UnLocker, Locker >::resetAndLock(), Ssl::CertificateProperties::setCommonName, Ssl::CertificateProperties::signAlgorithm, and Ssl::CertificateProperties::signWithPkey.
Referenced by Security::ServerOptions::createSigningContexts(), and STUB_RETVAL().
◆ getOrganization()
| const char * Ssl::getOrganization | ( | X509 * | x509 | ) |
Returns Organization from the certificate. Uses static memory to temporary store the extracted name.
Definition at line 1032 of file gadgets.cc.
References getSubjectEntry().
Referenced by Ssl::generateUntrustedCert().
◆ InRamCertificateDbKey()
| void Ssl::InRamCertificateDbKey | ( | const Ssl::CertificateProperties & | certProperties, |
| SBuf & | key | ||
| ) |
Generates a unique key based on CertificateProperties object and store it to key
Definition at line 1481 of file support.cc.
References Ssl::algSignEnd, SBuf::append(), Ssl::BIO_new_SBuf(), Ssl::certSignAlgorithm(), Ssl::CertificateProperties::commonName, Security::LockingPointer< T, UnLocker, Locker >::get(), Ssl::CertificateProperties::mimicCert, Ssl::CertificateProperties::setCommonName, Ssl::CertificateProperties::setValidAfter, Ssl::CertificateProperties::setValidBefore, Ssl::CertificateProperties::signAlgorithm, Ssl::CertificateProperties::signHash, and Ssl::X509_get_signature().
Referenced by ConnStateData::getSslContextStart().
◆ loadCerts()
| bool Ssl::loadCerts | ( | const char * | certsFile, |
| Ssl::CertsIndexedList & | list | ||
| ) |
Load PEM-encoded certificates from the given file.
Definition at line 1211 of file support.cc.
References DBG_IMPORTANT, debugs, Ssl::ReadOptionalCertificate(), and Security::SubjectName().
Referenced by Ssl::loadSquidUntrusted().
◆ loadSquidUntrusted()
| bool Ssl::loadSquidUntrusted | ( | const char * | path | ) |
Load PEM-encoded certificates to the squid untrusteds certificates internal DB from the given file.
Definition at line 1442 of file support.cc.
References Ssl::loadCerts(), and SquidUntrustedCerts.
Referenced by configDoConfigure().
◆ setClientSNI()
| void Ssl::setClientSNI | ( | SSL * | ssl, |
| const char * | fqdn | ||
| ) |
Sets the hostname for the Server Name Indication (SNI) TLS extension if supported by the used openssl toolkit.
Definition at line 1161 of file support.cc.
References debugs, Security::ErrorString(), and Ip::Address::isAnyAddr().
Referenced by Ssl::PeekingPeerConnector::initialize(), Security::BlindPeerConnector::initialize(), Ssl::IcapPeerConnector::initialize(), and STUB_RETVAL().
◆ sslGetCAAttribute()
| const char* sslGetCAAttribute | ( | SSL * | ssl, |
| const char * | attribute_name | ||
| ) |
Definition at line 962 of file support.cc.
References Ssl::GetX509CAAttribute.
Referenced by Format::Format::assemble().
◆ sslGetUserAttribute()
| const char* sslGetUserAttribute | ( | SSL * | ssl, |
| const char * | attribute_name | ||
| ) |
Definition at line 949 of file support.cc.
References Ssl::GetX509UserAttribute.
Referenced by Format::Format::assemble(), and sslGetUserEmail().
◆ sslGetUserCertificateChainPEM()
| SBuf sslGetUserCertificateChainPEM | ( | SSL * | ssl | ) |
Definition at line 993 of file support.cc.
References assert, and sslGetUserCertificatePEM().
◆ sslGetUserCertificatePEM()
| SBuf sslGetUserCertificatePEM | ( | SSL * | ssl | ) |
Definition at line 982 of file support.cc.
References assert, and Ssl::GetX509PEM.
Referenced by Format::Format::assemble(), and sslGetUserCertificateChainPEM().
◆ sslGetUserEmail()
| const char* sslGetUserEmail | ( | SSL * | ssl | ) |
Definition at line 976 of file support.cc.
References sslGetUserAttribute().
Referenced by ClientHttpRequest::logRequest(), ClientHttpRequest::noteAdaptationAclCheckDone(), and statClientRequests().
◆ unloadSquidUntrusted()
| void Ssl::unloadSquidUntrusted | ( | ) |
Removes all certificates from squid untrusteds certificates internal DB and frees all memory
Definition at line 1448 of file support.cc.
References SquidUntrustedCerts.
Referenced by configFreeMemory().
◆ useSquidUntrusted()
| void Ssl::useSquidUntrusted | ( | SSL_CTX * | sslContext | ) |
Configures sslContext to use squid untrusted certificates internal list to complete certificate chains when verifies SSL servers certificates.
Definition at line 1436 of file support.cc.
References untrustedToStoreCtx_cb().
Referenced by configDoConfigure().
◆ verifySslCertificate()
| bool Ssl::verifySslCertificate | ( | const Security::ContextPointer & | ctx, |
| CertificateProperties const & | |||
| ) |
Check if the certificate of the given context is still valid
- Parameters
-
sslContext The context to check properties Check if the context certificate matches the given properties
- Returns
- true if the contexts certificate is valid, false otherwise
Definition at line 1136 of file support.cc.
References assert, Security::NewSessionObject(), NULL, X509_getm_notAfter, and X509_getm_notBefore.
Referenced by ConnStateData::getTlsContextFromCache(), and STUB_RETVAL().
Variable Documentation
◆ BumpModeStr
| std::vector< const char * > Ssl::BumpModeStr |
Short names for ssl-bump modes
Definition at line 48 of file support.cc.
Referenced by Ssl::bumpMode(), dump_sslproxy_ssl_bump(), parse_sslproxy_ssl_bump(), and STUB_RETVAL().
◆ GetX509CAAttribute
| const char * Ssl::GetX509CAAttribute |
Definition at line 118 of file support.h.
Referenced by Format::Format::assemble(), Acl::Init(), and sslGetCAAttribute().
◆ GetX509Fingerprint
| const char * Ssl::GetX509Fingerprint |
Definition at line 124 of file support.h.
Referenced by Acl::Init().
◆ GetX509PEM
| SBuf Ssl::GetX509PEM |
Definition at line 121 of file support.h.
Referenced by Format::Format::assemble(), sslGetUserCertificatePEM(), and STUB_RETVAL().
◆ GetX509UserAttribute
| const char * Ssl::GetX509UserAttribute |
Definition at line 115 of file support.h.
Referenced by Format::Format::assemble(), Acl::Init(), and sslGetUserAttribute().
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Donate
- How to Help Out
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
Documentation
- Quick Setup
- Configuration:
- FAQ and Wiki
- Guide Books:
- Non-English
- More...
Support
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products