ServerOptions.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H
10 #define SQUID_SRC_SECURITY_SERVEROPTIONS_H
11 
12 #include "anyp/forward.h"
13 #include "security/PeerOptions.h"
14 #if USE_OPENSSL
15 #include "compat/openssl.h"
16 #if HAVE_OPENSSL_X509_H
17 #include <openssl/x509.h>
18 #endif
19 #endif
20 
21 namespace Security
22 {
23 
25 class ServerOptions : public PeerOptions
26 {
27 public:
28 #if USE_OPENSSL
29  sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free);
30  typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;
31 #endif
32 
34  // Bug 4005: dynamic contexts use a lot of memory and it
35  // is more secure to have only a small set of trusted CA.
37  }
38  ServerOptions(const ServerOptions &) = default;
41  ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; }
42  virtual ~ServerOptions() = default;
43 
44  /* Security::PeerOptions API */
45  virtual void parse(const char *);
46  virtual void clear() {*this = ServerOptions();}
48  virtual void dumpCfg(Packable *, const char *pfx) const;
49 
53 
56 
59 
62 
65 
67  void syncCaFiles();
68 
69 public:
73 
74 #if USE_OPENSSL
76 #elif USE_GNUTLS
77  // TODO: GnuTLS does implement TLS server connections so the cert
78  // generate vs static choice can be reached in the code now.
79  // But this feature is not fully working implemented so must not
80  // be enabled by default for production installations.
81  bool generateHostCertificates = false;
82 #else
83  // same as OpenSSL so config errors show up easily
84  bool generateHostCertificates = true;
85 #endif
86 
89 
91  size_t dynamicCertMemCacheSize = 4*1024*1024;
92 
93 private:
94  bool loadClientCaFile();
95  void loadDhParams();
96 
101 
104  void createSigningContexts(const AnyP::PortCfg &);
105 
106 private:
108 #if USE_OPENSSL
111 #else
112  void *clientCaStack = nullptr;
113 #endif
114 
118 
120 };
121 
122 } // namespace Security
123 
124 #endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */
125 
STACK_OF(X509)*X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
Definition: openssl.h:195
SBuf dh
Diffi-Helman cipher config.
ServerOptions(ServerOptions &&o)
Definition: ServerOptions.h:40
SBuf staticContextSessionId
&quot;session id context&quot; for staticContext
Definition: ServerOptions.h:72
Definition: SBuf.h:86
bool updateContextConfig(Security::ContextPointer &)
update the given TLS security context using squid.conf settings
void syncCaFiles()
sync the various sources of CA files to be loaded
std::unique_ptr< STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper > X509_NAME_STACK_Pointer
Definition: ServerOptions.h:30
YesNoNone tlsDefaultCa
whether to use the system default Trusted CA when verifying the remote end certificate ...
Definition: PeerOptions.h:117
Security::KeyData untrustedSigningCa
x509 certificate and key for signing untrusted generated certificates
Definition: ServerOptions.h:88
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:22
void updateContextClientCa(Security::ContextPointer &)
update the context with CA details used to verify client certificates
void createSigningContexts(const AnyP::PortCfg &)
virtual void clear()
reset the configuration details to default
Definition: ServerOptions.h:46
ServerOptions & operator=(const ServerOptions &)
SBuf clientCaFile
name of file to load client CAs from
virtual void dumpCfg(Packable *, const char *pfx) const
output squid.conf syntax with &#39;pfx&#39; prefix on parameters for the stored settings
Security::KeyData signingCa
x509 certificate and key for signing generated certificates
Definition: ServerOptions.h:87
void initServerContexts(AnyP::PortCfg &)
X509_NAME_STACK_Pointer clientCaStack
CA certificate(s) to use when verifying client certificates.
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
bool createStaticServerContext(AnyP::PortCfg &)
bool generateHostCertificates
dynamically make host cert
Definition: ServerOptions.h:75
SBuf dhParamsFile
Diffi-Helman ciphers parameter file.
virtual void parse(const char *)
parse a TLS squid.conf option
SBuf eecdhCurve
Elliptic curve for ephemeral EC-based DH key exchanges.
virtual Security::ContextPointer createBlankContext() const
generate an unset security context object
TLS certificate and private key details from squid.conf.
Definition: KeyData.h:20
void updateContextEecdh(Security::ContextPointer &)
update the context with DH, EDH, EECDH settings
Security::ContextPointer staticContext
TLS context to use for HTTPS accelerator or static SSL-Bump.
Definition: ServerOptions.h:71
struct Security::PeerOptions::flags_ flags
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:25
size_t dynamicCertMemCacheSize
max size of generated certificates memory cache (4 MB default)
Definition: ServerOptions.h:91
sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME)*, X509_NAME_free)
void updateContextSessionId(Security::ContextPointer &)
update the context with a configured session ID (if any)
virtual ~ServerOptions()=default
Security::DhePointer parsedDhParams
DH parameters for temporary/ephemeral DH key exchanges.
void defaultTo(bool beSet)
enables or disables the option; updating to &#39;implicit&#39; state
Definition: YesNoNone.h:59

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors