ServerOptions.h
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9#ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H
10#define SQUID_SRC_SECURITY_SERVEROPTIONS_H
11
12#include "anyp/forward.h"
14#if USE_OPENSSL
15#include "compat/openssl.h"
16#if HAVE_OPENSSL_X509_H
17#include <openssl/x509.h>
18#endif
19#endif
20
21namespace Security
22{
23
26{
27public:
28#if USE_OPENSSL
29 sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free);
30 typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;
31#endif
32
34 // Bug 4005: dynamic contexts use a lot of memory and it
35 // is more secure to have only a small set of trusted CA.
37 }
38 ServerOptions(const ServerOptions &o): ServerOptions() { *this = o; }
41 ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; }
42 ~ServerOptions() override = default;
43
44 /* Security::PeerOptions API */
45 void parse(const char *) override;
46 void clear() override {*this = ServerOptions();}
48 void dumpCfg(std::ostream &, const char *pfx) const override;
49
53
56
59
62
65
67 void syncCaFiles();
68
69public:
73
74#if USE_OPENSSL
76#elif USE_GNUTLS
77 // TODO: GnuTLS does implement TLS server connections so the cert
78 // generate vs static choice can be reached in the code now.
79 // But this feature is not fully working implemented so must not
80 // be enabled by default for production installations.
81 bool generateHostCertificates = false;
82#else
83 // same as OpenSSL so config errors show up easily
84 bool generateHostCertificates = true;
85#endif
86
89
91 size_t dynamicCertMemCacheSize = 4*1024*1024;
92
93private:
94 bool loadClientCaFile();
95 void loadDhParams();
96
101
105
106private:
108#if USE_OPENSSL
111#else
112 void *clientCaStack = nullptr;
113#endif
114
118
120};
121
122} // namespace Security
123
124#endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */
125
Definition: SBuf.h:94
TLS certificate and private key details from squid.conf.
Definition: KeyData.h:21
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:26
struct Security::PeerOptions::flags_ flags
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:26
size_t dynamicCertMemCacheSize
max size of generated certificates memory cache (4 MB default)
Definition: ServerOptions.h:91
void createSigningContexts(const AnyP::PortCfg &)
Security::ContextPointer createBlankContext() const override
generate an unset security context object
void clear() override
reset the configuration details to default
Definition: ServerOptions.h:46
void updateContextEecdh(Security::ContextPointer &)
update the context with DH, EDH, EECDH settings
SBuf dhParamsFile
Diffi-Helman ciphers parameter file.
X509_NAME_STACK_Pointer clientCaStack
CA certificate(s) to use when verifying client certificates.
ServerOptions(const ServerOptions &o)
Definition: ServerOptions.h:38
bool createStaticServerContext(AnyP::PortCfg &)
SBuf eecdhCurve
Elliptic curve for ephemeral EC-based DH key exchanges.
Security::KeyData untrustedSigningCa
x509 certificate and key for signing untrusted generated certificates
Definition: ServerOptions.h:88
void parse(const char *) override
parse a TLS squid.conf option
bool generateHostCertificates
dynamically make host cert
Definition: ServerOptions.h:75
void dumpCfg(std::ostream &, const char *pfx) const override
output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
SBuf staticContextSessionId
"session id context" for staticContext
Definition: ServerOptions.h:72
void initServerContexts(AnyP::PortCfg &)
sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free)
SBuf dh
Diffi-Helman cipher config.
ServerOptions(ServerOptions &&o)
Definition: ServerOptions.h:40
void syncCaFiles()
sync the various sources of CA files to be loaded
Security::DhePointer parsedDhParams
DH parameters for temporary/ephemeral DH key exchanges.
bool updateContextConfig(Security::ContextPointer &)
update the given TLS security context using squid.conf settings
ServerOptions & operator=(const ServerOptions &)
std::unique_ptr< STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper > X509_NAME_STACK_Pointer
Definition: ServerOptions.h:30
Security::ContextPointer staticContext
TLS context to use for HTTPS accelerator or static SSL-Bump.
Definition: ServerOptions.h:71
void updateContextSessionId(Security::ContextPointer &)
update the context with a configured session ID (if any)
~ServerOptions() override=default
SBuf clientCaFile
name of file to load client CAs from
Security::KeyData signingCa
x509 certificate and key for signing generated certificates
Definition: ServerOptions.h:87
void updateContextClientCa(Security::ContextPointer &)
update the context with CA details used to verify client certificates
void defaultTo(bool beSet)
enables or disables the option; updating to 'implicit' state
Definition: YesNoNone.h:59
Network/connection security abstraction layer.
Definition: Connection.h:34
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
Definition: openssl.h:237
YesNoNone tlsDefaultCa
whether to use the system default Trusted CA when verifying the remote end certificate
Definition: PeerOptions.h:139

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors