ServerOptions.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H
10 #define SQUID_SRC_SECURITY_SERVEROPTIONS_H
11 
12 #include "anyp/forward.h"
13 #include "security/PeerOptions.h"
14 
15 namespace Security
16 {
17 
19 class ServerOptions : public PeerOptions
20 {
21 public:
22 #if USE_OPENSSL
23  sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free);
24  typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;
25 #endif
26 
28  // Bug 4005: dynamic contexts use a lot of memory and it
29  // is more secure to have only a small set of trusted CA.
31  }
32  ServerOptions(const ServerOptions &) = default;
35  ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; }
36  virtual ~ServerOptions() = default;
37 
38  /* Security::PeerOptions API */
39  virtual void parse(const char *);
40  virtual void clear() {*this = ServerOptions();}
42  virtual void dumpCfg(Packable *, const char *pfx) const;
43 
48 
52 
55 
58 
61 
64 
66  void syncCaFiles();
67 
68 public:
72 
74 
75  Security::CertPointer signingCert;
76  Security::PrivateKeyPointer signPkey;
78  Security::CertPointer untrustedSigningCert;
79  Security::PrivateKeyPointer untrustedSignPkey;
80 
82  size_t dynamicCertMemCacheSize = 4*1024*1024;
83 
84 private:
85  bool loadClientCaFile();
86  void loadDhParams();
87 
88 private:
90 #if USE_OPENSSL
93 #else
94  void *clientCaStack = nullptr;
95 #endif
96 
97  SBuf dh;
100 
102 };
103 
104 } // namespace Security
105 
106 #endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */
107 
SBuf dh
Diffi-Helman cipher config.
Definition: ServerOptions.h:97
ServerOptions(ServerOptions &&o)
Definition: ServerOptions.h:34
SBuf staticContextSessionId
"session id context" for staticContext
Definition: ServerOptions.h:71
Definition: SBuf.h:87
bool updateContextConfig(Security::ContextPointer &)
update the given TLS security context using squid.conf settings
Security::PrivateKeyPointer untrustedSignPkey
private key for signing untrusted generated certificates
Definition: ServerOptions.h:79
void syncCaFiles()
sync the various sources of CA files to be loaded
std::unique_ptr< STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper > X509_NAME_STACK_Pointer
Definition: ServerOptions.h:24
Security::CertList certsToChain
x509 certificates to send with the generated cert
Definition: ServerOptions.h:77
YesNoNone tlsDefaultCa
whether to use the system default Trusted CA when verifying the remote end certificate ...
Definition: PeerOptions.h:116
CtoCpp1(X509_free, X509 *) typedef Security CtoCpp1(X509_CRL_free, X509_CRL *) typedef Security typedef std::list< Security::CertPointer CertList)
Definition: forward.h:96
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:22
void updateContextClientCa(Security::ContextPointer &)
update the context with CA details used to verify client certificates
Security::CertPointer signingCert
x509 certificate for signing generated certificates
Definition: ServerOptions.h:75
virtual void clear()
reset the configuration details to default
Definition: ServerOptions.h:40
ServerOptions & operator=(const ServerOptions &)
SBuf clientCaFile
name of file to load client CAs from
Definition: ServerOptions.h:89
virtual void dumpCfg(Packable *, const char *pfx) const
output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
X509_NAME_STACK_Pointer clientCaStack
CA certificate(s) to use when verifying client certificates.
Definition: ServerOptions.h:92
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:28
Security::PrivateKeyPointer signPkey
private key for signing generated certificates
Definition: ServerOptions.h:76
bool createStaticServerContext(AnyP::PortCfg &)
bool generateHostCertificates
dynamically make host cert
Definition: ServerOptions.h:73
SBuf dhParamsFile
Diffi-Helman ciphers parameter file.
Definition: ServerOptions.h:98
static STACK_OF(X509)*PeerValidationCertificatesChain(const Security
virtual void parse(const char *)
parse a TLS squid.conf option
SBuf eecdhCurve
Elliptic curve for ephemeral EC-based DH key exchanges.
Definition: ServerOptions.h:99
Security::CertPointer untrustedSigningCert
x509 certificate for signing untrusted generated certificates
Definition: ServerOptions.h:78
virtual Security::ContextPointer createBlankContext() const
generate an unset security context object
void updateContextEecdh(Security::ContextPointer &)
update the context with DH, EDH, EECDH settings
Security::ContextPointer staticContext
TLS context to use for HTTPS accelerator or static SSL-Bump.
Definition: ServerOptions.h:70
struct Security::PeerOptions::flags_ flags
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:19
size_t dynamicCertMemCacheSize
max size of generated certificates memory cache (4 MB default)
Definition: ServerOptions.h:82
sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME)*, X509_NAME_free)
void createSigningContexts(AnyP::PortCfg &)
void updateContextSessionId(Security::ContextPointer &)
update the context with a configured session ID (if any)
virtual ~ServerOptions()=default
Security::DhePointer parsedDhParams
DH parameters for temporary/ephemeral DH key exchanges.
void defaultTo(bool beSet)
enables or disables the option; updating to 'implicit' state
Definition: YesNoNone.h:58

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors