Modules | |
| Server-Side SSL Internals | |
Typedefs | |
| typedef char const * | Ssl::GETX509ATTRIBUTE(X509 *, const char *) |
Enumerations | |
| enum | Ssl::BumpMode { Ssl::bumpNone = 0 , Ssl::bumpClientFirst , Ssl::bumpServerFirst , Ssl::bumpPeek , Ssl::bumpStare , Ssl::bumpBump , Ssl::bumpSplice , Ssl::bumpTerminate , Ssl::bumpEnd } |
Detailed Description
Typedef Documentation
◆ GETX509ATTRIBUTE
| typedef char const * Ssl::GETX509ATTRIBUTE(X509 *, const char *) |
Enumeration Type Documentation
◆ BumpMode
| enum Ssl::BumpMode |
Function Documentation
◆ asn1timeToString()
Convert a given ASN1_TIME to a string form.
- Parameters
-
tm the time in ASN1_TIME form buf the buffer to write the output len write at most len bytes
- Returns
- The number of bytes written
Definition at line 181 of file support.cc.
Referenced by Security::ErrorDetail::printNotAfter(), Security::ErrorDetail::printNotBefore(), and STUB_RETVAL().
◆ BIO_new_SBuf()
| BIO * Ssl::BIO_new_SBuf | ( | SBuf * | buf | ) |
Creates and returns an OpenSSL BIO object for writing to buf (or throws). TODO: Add support for reading from buf.
Definition at line 1467 of file support.cc.
References bio_sbuf_create(), bio_sbuf_ctrl(), bio_sbuf_destroy(), bio_sbuf_puts(), bio_sbuf_write(), BIO_set_data(), BIO_set_init(), Must, and NULL.
Referenced by Ssl::InRamCertificateDbKey().
◆ bumpMode()
|
inline |
Return the short name of the ssl-bump mode "bm"
Definition at line 138 of file support.h.
References Ssl::bumpEnd, and Ssl::BumpModeStr.
Referenced by applyTlsDetailsToSSL(), Format::Format::assemble(), httpsSslBumpAccessCheckDone(), ClientRequestContext::sslBumpAccessCheck(), ClientRequestContext::sslBumpAccessCheckDone(), ClientHttpRequest::sslBumpNeed(), and ClientHttpRequest::sslBumpStart().
◆ CertificatesCmp()
| bool Ssl::CertificatesCmp | ( | const Security::CertPointer & | cert1, |
| const Security::CertPointer & | cert2 | ||
| ) |
- Returns
- whether both certificates exist and are the same (e.g., have identical ASN.1 images)
Definition at line 980 of file gadgets.cc.
References Security::LockingPointer< T, UnLocker, Locker >::get().
Referenced by Ssl::CertificateDb::pure_find().
◆ chainCertificatesToSSLContext()
| void Ssl::chainCertificatesToSSLContext | ( | Security::ContextPointer & | ctx, |
| Security::ServerOptions & | options | ||
| ) |
Chain signing certificate and chained certificates to an SSL Context
Definition at line 970 of file support.cc.
References assert, Security::KeyData::cert, Security::KeyData::chain, DBG_IMPORTANT, debugs, error(), Security::ErrorString(), Security::LockingPointer< T, UnLocker, Locker >::get(), and Security::ServerOptions::signingCa.
Referenced by Ssl::configureUnconfiguredSslContext(), Ssl::GenerateSslContext(), and Ssl::GenerateSslContextUsingPkeyAndCertFromMemory().
◆ checkX509ServerValidity()
| bool Ssl::checkX509ServerValidity | ( | X509 * | cert, |
| const char * | server | ||
| ) |
Check if the certificate is valid for a server
- Parameters
-
cert The X509 cert to check. server The server name.
- Returns
- true if the certificate is valid for the server or false otherwise.
Definition at line 254 of file support.cc.
References check_domain(), Ssl::matchX509CommonNames(), and server.
Referenced by Acl::ServerNameCheck::match(), ConnStateData::serveDelayedError(), ssl_verify_cb(), and STUB_RETVAL().
◆ CommonHostName()
| const char * Ssl::CommonHostName | ( | X509 * | x509 | ) |
Returns CN from the certificate, suitable for use as a host name. Uses static memory to temporary store the extracted name.
Definition at line 969 of file gadgets.cc.
References getSubjectEntry().
Referenced by Ssl::certificateMatchesProperties(), Ssl::generateUntrustedCert(), Ssl::PeekingPeerConnector::noteNegotiationDone(), and Ssl::PeekingPeerConnector::serverCertificateVerified().
◆ configureSSL()
| bool Ssl::configureSSL | ( | SSL * | ssl, |
| CertificateProperties const & | properties, | ||
| AnyP::PortCfg & | port | ||
| ) |
Generates a certificate and a private key using provided properties and set it to SSL object.
Definition at line 1002 of file support.cc.
References Ssl::generateSslCertificate(), and Security::LockingPointer< T, UnLocker, Locker >::get().
Referenced by ConnStateData::getSslContextStart().
◆ configureSSLUsingPkeyAndCertFromMemory()
| bool Ssl::configureSSLUsingPkeyAndCertFromMemory | ( | SSL * | ssl, |
| const char * | data, | ||
| AnyP::PortCfg & | port | ||
| ) |
Read private key and certificate from memory and set it to SSL object using their.
Definition at line 1025 of file support.cc.
References Security::LockingPointer< T, UnLocker, Locker >::get(), and Ssl::readCertAndPrivateKeyFromMemory().
Referenced by ConnStateData::sslCrtdHandleReply().
◆ configureUnconfiguredSslContext()
| void Ssl::configureUnconfiguredSslContext | ( | Security::ContextPointer & | ctx, |
| Ssl::CertSignAlgorithm | signAlgorithm, | ||
| AnyP::PortCfg & | port | ||
| ) |
Configure a previously unconfigured SSL context object.
Definition at line 995 of file support.cc.
References Ssl::algSignTrusted, Ssl::chainCertificatesToSSLContext(), and port.
Referenced by ConnStateData::getSslContextStart(), and ConnStateData::sslCrtdHandleReply().
◆ createSSLContext()
| Security::ContextPointer Ssl::createSSLContext | ( | Security::CertPointer & | x509, |
| Security::PrivateKeyPointer & | pkey, | ||
| Security::ServerOptions & | options | ||
| ) |
Create an SSL context using the provided certificate and key
Definition at line 925 of file support.cc.
References Security::ServerOptions::createBlankContext(), Security::LockingPointer< T, UnLocker, Locker >::get(), and Security::ServerOptions::updateContextConfig().
Referenced by Ssl::GenerateSslContext(), Ssl::GenerateSslContextUsingPkeyAndCertFromMemory(), and ConnStateData::startPeekAndSplice().
◆ GenerateSslContext()
| Security::ContextPointer Ssl::GenerateSslContext | ( | CertificateProperties const & | properties, |
| Security::ServerOptions & | options, | ||
| bool | trusted | ||
| ) |
Decide on the kind of certificate and generate a CA- or self-signed one
Definition at line 956 of file support.cc.
References Ssl::chainCertificatesToSSLContext(), Ssl::createSSLContext(), and Ssl::generateSslCertificate().
Referenced by ConnStateData::getSslContextStart(), and STUB_RETVAL().
◆ GenerateSslContextUsingPkeyAndCertFromMemory()
| Security::ContextPointer Ssl::GenerateSslContextUsingPkeyAndCertFromMemory | ( | const char * | data, |
| Security::ServerOptions & | options, | ||
| bool | trusted | ||
| ) |
Read private key and certificate from memory and generate SSL context using their.
Definition at line 942 of file support.cc.
References Ssl::chainCertificatesToSSLContext(), Ssl::createSSLContext(), and Ssl::readCertAndPrivateKeyFromMemory().
Referenced by ConnStateData::sslCrtdHandleReply(), and STUB_RETVAL().
◆ generateUntrustedCert()
| bool Ssl::generateUntrustedCert | ( | Security::CertPointer & | untrustedCert, |
| Security::PrivateKeyPointer & | untrustedPkey, | ||
| Security::CertPointer const & | cert, | ||
| Security::PrivateKeyPointer const & | pkey | ||
| ) |
Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
Definition at line 1367 of file support.cc.
References Ssl::algSignSelf, Ssl::CommonHostName(), Ssl::CertificateProperties::commonName, Ssl::generateSslCertificate(), Security::LockingPointer< T, UnLocker, Locker >::get(), Ssl::getOrganization(), Ssl::CertificateProperties::mimicCert, Security::LockingPointer< T, UnLocker, Locker >::resetAndLock(), Ssl::CertificateProperties::setCommonName, Ssl::CertificateProperties::signAlgorithm, and Ssl::CertificateProperties::signWithPkey.
Referenced by Security::ServerOptions::createSigningContexts(), and STUB_RETVAL().
◆ getOrganization()
| const char * Ssl::getOrganization | ( | X509 * | x509 | ) |
Returns Organization from the certificate. Uses static memory to temporary store the extracted name.
Definition at line 974 of file gadgets.cc.
References getSubjectEntry().
Referenced by Ssl::generateUntrustedCert().
◆ InRamCertificateDbKey()
| void Ssl::InRamCertificateDbKey | ( | const Ssl::CertificateProperties & | certProperties, |
| SBuf & | key | ||
| ) |
Generates a unique key based on CertificateProperties object and store it to key
Definition at line 1390 of file support.cc.
References Ssl::algSignEnd, SBuf::append(), Ssl::BIO_new_SBuf(), Ssl::certSignAlgorithm(), Ssl::CertificateProperties::commonName, Security::LockingPointer< T, UnLocker, Locker >::get(), Ssl::CertificateProperties::mimicCert, Ssl::CertificateProperties::setCommonName, Ssl::CertificateProperties::setValidAfter, Ssl::CertificateProperties::setValidBefore, Ssl::CertificateProperties::signAlgorithm, Ssl::CertificateProperties::signHash, and Ssl::X509_get_signature().
Referenced by ConnStateData::getSslContextStart().
◆ loadCerts()
| bool Ssl::loadCerts | ( | const char * | certsFile, |
| Ssl::CertsIndexedList & | list | ||
| ) |
Load PEM-encoded certificates from the given file.
Definition at line 1120 of file support.cc.
References DBG_IMPORTANT, debugs, Ssl::ReadOptionalCertificate(), and Security::SubjectName().
Referenced by Ssl::loadSquidUntrusted().
◆ loadSquidUntrusted()
| bool Ssl::loadSquidUntrusted | ( | const char * | path | ) |
Load PEM-encoded certificates to the squid untrusteds certificates internal DB from the given file.
Definition at line 1351 of file support.cc.
References Ssl::loadCerts(), and SquidUntrustedCerts.
Referenced by configDoConfigure().
◆ matchX509CommonNames()
| int Ssl::matchX509CommonNames | ( | X509 * | peer_cert, |
| void * | check_data, | ||
| int(*)(void *check_data, ASN1_STRING *cn_data) | check_func | ||
| ) |
Iterates over the X509 common and alternate names and to see if matches with given data using the check_func.
- Parameters
-
peer_cert The X509 cert to check check_data The data with which the X509 CNs compared check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
- Returns
- 1 if any of the certificate CN matches, 0 if none matches.
Definition at line 195 of file support.cc.
References assert, and STACK_OF().
Referenced by Ssl::checkX509ServerValidity(), Acl::ServerNameCheck::match(), Security::ErrorDetail::printCommonName(), and STUB_RETVAL().
◆ setClientSNI()
| void Ssl::setClientSNI | ( | SSL * | ssl, |
| const char * | fqdn | ||
| ) |
Sets the hostname for the Server Name Indication (SNI) TLS extension if supported by the used openssl toolkit.
Definition at line 1070 of file support.cc.
References debugs, Security::ErrorString(), and Ip::Address::isAnyAddr().
Referenced by Ssl::IcapPeerConnector::initialize(), Security::BlindPeerConnector::initialize(), Ssl::PeekingPeerConnector::initialize(), and STUB_RETVAL().
◆ sslGetCAAttribute()
| const char * sslGetCAAttribute | ( | SSL * | ssl, |
| const char * | attribute_name | ||
| ) |
Definition at line 871 of file support.cc.
References Ssl::GetX509CAAttribute.
Referenced by Format::Format::assemble().
◆ sslGetUserAttribute()
| const char * sslGetUserAttribute | ( | SSL * | ssl, |
| const char * | attribute_name | ||
| ) |
Definition at line 858 of file support.cc.
References Ssl::GetX509UserAttribute.
Referenced by Format::Format::assemble(), and sslGetUserEmail().
◆ sslGetUserCertificateChainPEM()
| SBuf sslGetUserCertificateChainPEM | ( | SSL * | ssl | ) |
Definition at line 902 of file support.cc.
References assert, and sslGetUserCertificatePEM().
◆ sslGetUserCertificatePEM()
| SBuf sslGetUserCertificatePEM | ( | SSL * | ssl | ) |
Definition at line 891 of file support.cc.
References assert, and Ssl::GetX509PEM.
Referenced by Format::Format::assemble(), and sslGetUserCertificateChainPEM().
◆ sslGetUserEmail()
| const char * sslGetUserEmail | ( | SSL * | ssl | ) |
Definition at line 885 of file support.cc.
References sslGetUserAttribute().
Referenced by ClientHttpRequest::logRequest(), ClientHttpRequest::noteAdaptationAclCheckDone(), and statClientRequests().
◆ unloadSquidUntrusted()
| void Ssl::unloadSquidUntrusted | ( | ) |
Removes all certificates from squid untrusteds certificates internal DB and frees all memory
Definition at line 1357 of file support.cc.
References SquidUntrustedCerts.
Referenced by configFreeMemory().
◆ useSquidUntrusted()
| void Ssl::useSquidUntrusted | ( | SSL_CTX * | sslContext | ) |
Configures sslContext to use squid untrusted certificates internal list to complete certificate chains when verifies SSL servers certificates.
Definition at line 1345 of file support.cc.
References untrustedToStoreCtx_cb().
Referenced by configDoConfigure().
◆ verifySslCertificate()
| bool Ssl::verifySslCertificate | ( | const Security::ContextPointer & | ctx, |
| CertificateProperties const & | |||
| ) |
Check if the certificate of the given context is still valid
- Parameters
-
sslContext The context to check properties Check if the context certificate matches the given properties
- Returns
- true if the contexts certificate is valid, false otherwise
Definition at line 1045 of file support.cc.
References assert, Security::NewSessionObject(), NULL, X509_getm_notAfter, and X509_getm_notBefore.
Referenced by ConnStateData::getTlsContextFromCache(), and STUB_RETVAL().
Variable Documentation
◆ BumpModeStr
|
extern |
Short names for ssl-bump modes
Definition at line 46 of file support.cc.
Referenced by Ssl::bumpMode(), parse_sslproxy_ssl_bump(), and STUB_RETVAL().
◆ GetX509CAAttribute
| const char * Ssl::GetX509CAAttribute |
Definition at line 112 of file support.h.
Referenced by Format::Format::assemble(), Acl::Init(), and sslGetCAAttribute().
◆ GetX509Fingerprint
| const char * Ssl::GetX509Fingerprint |
Definition at line 118 of file support.h.
Referenced by Acl::Init().
◆ GetX509PEM
| SBuf Ssl::GetX509PEM |
Definition at line 115 of file support.h.
Referenced by Format::Format::assemble(), sslGetUserCertificatePEM(), and STUB_RETVAL().
◆ GetX509UserAttribute
| const char * Ssl::GetX509UserAttribute |
Definition at line 109 of file support.h.
Referenced by Format::Format::assemble(), Acl::Init(), and sslGetUserAttribute().