TLS squid.conf settings for a listening port. More...
#include <ServerOptions.h>
Public Types | |
| typedef std::unique_ptr< STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper > | X509_NAME_STACK_Pointer |
Public Member Functions | |
| sk_dtor_wrapper (sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free) | |
| ServerOptions () | |
| ServerOptions (const ServerOptions &)=default | |
| ServerOptions & | operator= (const ServerOptions &) |
| ServerOptions (ServerOptions &&o) | |
| ServerOptions & | operator= (ServerOptions &&o) |
| virtual | ~ServerOptions ()=default |
| virtual void | parse (const char *) |
| parse a TLS squid.conf option More... | |
| virtual void | clear () |
| reset the configuration details to default More... | |
| virtual Security::ContextPointer | createBlankContext () const |
| generate an unset security context object More... | |
| virtual void | dumpCfg (Packable *, const char *pfx) const |
| output squid.conf syntax with 'pfx' prefix on parameters for the stored settings More... | |
| void | initServerContexts (AnyP::PortCfg &) |
| bool | updateContextConfig (Security::ContextPointer &) |
| update the given TLS security context using squid.conf settings More... | |
| void | updateContextEecdh (Security::ContextPointer &) |
| update the context with DH, EDH, EECDH settings More... | |
| void | updateContextClientCa (Security::ContextPointer &) |
| update the context with CA details used to verify client certificates More... | |
| void | updateContextSessionId (Security::ContextPointer &) |
| update the context with a configured session ID (if any) More... | |
| void | syncCaFiles () |
| sync the various sources of CA files to be loaded More... | |
| Security::ContextPointer | createClientContext (bool setOptions) |
| generate a security client-context from these configured options More... | |
| void | updateTlsVersionLimits () |
| sync the context options with tls-min-version=N configuration More... | |
| void | updateContextOptions (Security::ContextPointer &) const |
| Setup the library specific 'options=' parameters for the given context. More... | |
| void | updateContextNpn (Security::ContextPointer &) |
| setup the NPN extension details for the given context More... | |
| void | updateContextCa (Security::ContextPointer &) |
| setup the CA details for the given context More... | |
| void | updateContextCrl (Security::ContextPointer &) |
| setup the CRL details for the given context More... | |
| void | updateContextTrust (Security::ContextPointer &) |
| decide which CAs to trust More... | |
| void | updateSessionOptions (Security::SessionPointer &) |
| setup any library-specific options that can be set for the given session More... | |
Public Attributes | |
| Security::ContextPointer | staticContext |
| TLS context to use for HTTPS accelerator or static SSL-Bump. More... | |
| SBuf | staticContextSessionId |
| "session id context" for staticContext More... | |
| bool | generateHostCertificates = true |
| dynamically make host cert More... | |
| Security::KeyData | signingCa |
| x509 certificate and key for signing generated certificates More... | |
| Security::KeyData | untrustedSigningCa |
| x509 certificate and key for signing untrusted generated certificates More... | |
| size_t | dynamicCertMemCacheSize = 4*1024*1024 |
| max size of generated certificates memory cache (4 MB default) More... | |
| SBuf | sslOptions |
| library-specific options string More... | |
| SBuf | caDir |
| path of directory containing a set of trusted Certificate Authorities More... | |
| SBuf | crlFile |
| path of file containing Certificate Revoke List More... | |
| SBuf | sslCipher |
| SBuf | sslFlags |
| flags defining what TLS operations Squid performs More... | |
| SBuf | sslDomain |
| SBuf | tlsMinVersion |
| version label for minimum TLS version to permit More... | |
| Security::ParsedOptions | parsedOptions |
| parsed value of sslOptions More... | |
| long | parsedFlags = 0 |
| parsed value of sslFlags More... | |
| std::list< Security::KeyData > | certs |
| details from the cert= and file= config parameters More... | |
| std::list< SBuf > | caFiles |
| paths of files containing trusted Certificate Authority More... | |
| Security::CertRevokeList | parsedCrl |
| CRL to use when verifying the remote end certificate. More... | |
| bool | encryptTransport = false |
| whether transport encryption (TLS/SSL) is to be used on connections to the peer More... | |
Protected Member Functions | |
| template<typename T > | |
| Security::ContextPointer | convertContextFromRawPtr (T ctx) const |
Protected Attributes | |
| int | sslVersion = 0 |
| struct Security::PeerOptions::flags_ | flags |
Private Member Functions | |
| bool | loadClientCaFile () |
| void | loadDhParams () |
| bool | createStaticServerContext (AnyP::PortCfg &) |
| void | createSigningContexts (const AnyP::PortCfg &) |
Private Attributes | |
| SBuf | clientCaFile |
| name of file to load client CAs from More... | |
| X509_NAME_STACK_Pointer | clientCaStack |
| CA certificate(s) to use when verifying client certificates. More... | |
| SBuf | dh |
| Diffi-Helman cipher config. More... | |
| SBuf | dhParamsFile |
| Diffi-Helman ciphers parameter file. More... | |
| SBuf | eecdhCurve |
| Elliptic curve for ephemeral EC-based DH key exchanges. More... | |
| Security::DhePointer | parsedDhParams |
| DH parameters for temporary/ephemeral DH key exchanges. More... | |
Detailed Description
Definition at line 25 of file ServerOptions.h.
Member Typedef Documentation
◆ X509_NAME_STACK_Pointer
| typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> Security::ServerOptions::X509_NAME_STACK_Pointer |
Definition at line 30 of file ServerOptions.h.
Constructor & Destructor Documentation
◆ ServerOptions() [1/3]
|
inline |
Definition at line 33 of file ServerOptions.h.
References YesNoNone::defaultTo(), Security::PeerOptions::flags, operator=(), and Security::PeerOptions::flags_::tlsDefaultCa.
Referenced by clear().
◆ ServerOptions() [2/3]
|
default |
◆ ServerOptions() [3/3]
|
inline |
Definition at line 40 of file ServerOptions.h.
References operator=().
◆ ~ServerOptions()
|
virtualdefault |
Referenced by operator=().
Member Function Documentation
◆ clear()
|
inlinevirtual |
Reimplemented from Security::PeerOptions.
Definition at line 46 of file ServerOptions.h.
References createBlankContext(), dumpCfg(), initServerContexts(), ServerOptions(), syncCaFiles(), updateContextClientCa(), updateContextConfig(), updateContextEecdh(), and updateContextSessionId().
◆ convertContextFromRawPtr()
|
inlineprotectedinherited |
Definition at line 94 of file PeerOptions.h.
References assert, debugs, and p.
Referenced by Security::PeerOptions::createBlankContext(), and createBlankContext().
◆ createBlankContext()
|
virtual |
Reimplemented from Security::PeerOptions.
Definition at line 156 of file ServerOptions.cc.
References Security::PeerOptions::convertContextFromRawPtr(), DBG_CRITICAL, debugs, Security::ErrorString(), Ssl::Initialize(), and TLS_server_method.
Referenced by clear(), Ssl::createSSLContext(), and createStaticServerContext().
◆ createClientContext()
|
inherited |
Definition at line 275 of file PeerOptions.cc.
References Security::PeerOptions::createBlankContext(), Ssl::InitClientContext(), Security::PeerOptions::parsedFlags, Security::PeerOptions::updateContextCa(), Security::PeerOptions::updateContextCrl(), Security::PeerOptions::updateContextNpn(), Security::PeerOptions::updateContextOptions(), Security::PeerOptions::updateContextTrust(), and Security::PeerOptions::updateTlsVersionLimits().
Referenced by Security::PeerOptions::clear(), configDoConfigure(), and Adaptation::Icap::ServiceRep::finalize().
◆ createSigningContexts()
|
private |
initialize contexts for signing dynamic TLS certificates (if needed) the resulting keys are stored in signingCa and untrustedSigningCa
Definition at line 278 of file ServerOptions.cc.
References buf, Security::KeyData::cert, Security::PeerOptions::certs, DBG_CRITICAL, DBG_IMPORTANT, debugs, fatalf(), Ssl::generateUntrustedCert(), Security::KeyData::pkey, AnyP::ProtocolVersion::protocol, AnyP::ProtocolType_str, Security::LockingPointer< T, UnLocker, Locker >::reset(), AnyP::PortCfg::s, signingCa, Ip::Address::toUrl(), AnyP::PortCfg::transport, and untrustedSigningCa.
Referenced by initServerContexts().
◆ createStaticServerContext()
|
private |
generate a security server-context from these configured options the resulting context is stored in staticContext
- Returns
- true if a context could be created
Definition at line 207 of file ServerOptions.cc.
References SBuf::append(), SBuf::appendf(), Security::PeerOptions::certs, createBlankContext(), DBG_CRITICAL, DBG_IMPORTANT, debugs, error(), Security::ErrorString(), keys, loadClientCaFile(), staticContext, updateContextConfig(), and Security::PeerOptions::updateTlsVersionLimits().
Referenced by initServerContexts().
◆ dumpCfg()
|
virtual |
Reimplemented from Security::PeerOptions.
Definition at line 133 of file ServerOptions.cc.
References Packable::appendf(), dh, Security::PeerOptions::dumpCfg(), dynamicCertMemCacheSize, Security::PeerOptions::encryptTransport, generateHostCertificates, SBuf::isEmpty(), SQUIDSBUFPH, SQUIDSBUFPRINT, and staticContextSessionId.
Referenced by clear().
◆ initServerContexts()
| void Security::ServerOptions::initServerContexts | ( | AnyP::PortCfg & | port | ) |
initialize all server contexts as-needed and load PEM files. if none can be created this may do nothing.
Definition at line 186 of file ServerOptions.cc.
References buf, Security::PeerOptions::certs, createSigningContexts(), createStaticServerContext(), fatalf(), generateHostCertificates, AnyP::ProtocolVersion::protocol, AnyP::ProtocolType_str, AnyP::PortCfg::s, Ip::Address::toUrl(), and AnyP::PortCfg::transport.
Referenced by clear().
◆ loadClientCaFile()
|
private |
load clientca= file (if any) into memory.
- Return values
-
true clientca is not set, or loaded successfully false unable to load the file, or not using OpenSSL
Definition at line 331 of file ServerOptions.cc.
References SBuf::c_str(), clientCaFile, clientCaStack, DBG_CRITICAL, debugs, and SBuf::isEmpty().
Referenced by createStaticServerContext().
◆ loadDhParams()
|
private |
Definition at line 348 of file ServerOptions.cc.
References SBuf::c_str(), DBG_IMPORTANT, debugs, dhParamsFile, SBuf::isEmpty(), NULL, parsedDhParams, and Security::LockingPointer< T, UnLocker, Locker >::resetWithoutLocking().
Referenced by parse().
◆ operator=() [1/2]
| Security::ServerOptions & Security::ServerOptions::operator= | ( | const ServerOptions & | old | ) |
Definition at line 28 of file ServerOptions.cc.
References clientCaFile, clientCaStack, dh, dhParamsFile, dynamicCertMemCacheSize, eecdhCurve, generateHostCertificates, Security::PeerOptions::operator=(), parsedDhParams, signingCa, staticContextSessionId, and untrustedSigningCa.
Referenced by operator=(), and ServerOptions().
◆ operator=() [2/2]
|
inline |
Definition at line 41 of file ServerOptions.h.
References operator=(), parse(), and ~ServerOptions().
◆ parse()
|
virtual |
Reimplemented from Security::PeerOptions.
Definition at line 53 of file ServerOptions.cc.
References SBuf::append(), SBuf::clear(), clientCaFile, DBG_CRITICAL, DBG_IMPORTANT, DBG_PARSE_NOTE, debugs, dh, dhParamsFile, dynamicCertMemCacheSize, eecdhCurve, Security::PeerOptions::encryptTransport, SBuf::find(), generateHostCertificates, SBuf::isEmpty(), SBuf::length(), loadDhParams(), max(), SBuf::npos, Security::PeerOptions::parse(), parseBytesOptionValue(), self_destruct(), staticContextSessionId, and SBuf::substr().
Referenced by operator=().
◆ sk_dtor_wrapper()
| Security::ServerOptions::sk_dtor_wrapper | ( | sk_X509_NAME | , |
| STACK_OF(X509_NAME) * | , | ||
| X509_NAME_free | |||
| ) |
◆ syncCaFiles()
| void Security::ServerOptions::syncCaFiles | ( | ) |
Definition at line 316 of file ServerOptions.cc.
References Security::PeerOptions::caFiles, clientCaFile, and SBuf::isEmpty().
Referenced by clear().
◆ updateContextCa()
|
inherited |
Definition at line 646 of file PeerOptions.cc.
References SBuf::c_str(), Security::PeerOptions::caDir, Security::PeerOptions::caFiles, DBG_IMPORTANT, debugs, Security::ErrorString(), Security::PeerOptions::flags, i, SBuf::isEmpty(), loadSystemTrustedCa(), and Security::PeerOptions::flags_::tlsDefaultCa.
Referenced by Security::PeerOptions::clear(), Security::PeerOptions::createClientContext(), and updateContextConfig().
◆ updateContextClientCa()
| void Security::ServerOptions::updateContextClientCa | ( | Security::ContextPointer & | ctx | ) |
Definition at line 420 of file ServerOptions.cc.
References clientCaStack, DBG_CRITICAL, debugs, Security::ErrorString(), NULL, Security::PeerOptions::parsedFlags, Ssl::SetupVerifyCallback(), SSL_FLAG_DELAYED_AUTH, STACK_OF(), Security::PeerOptions::updateContextCrl(), and Security::PeerOptions::updateContextTrust().
Referenced by clear(), and updateContextConfig().
◆ updateContextConfig()
| bool Security::ServerOptions::updateContextConfig | ( | Security::ContextPointer & | ctx | ) |
Definition at line 379 of file ServerOptions.cc.
References SBuf::c_str(), Config, DBG_CRITICAL, debugs, Security::ErrorString(), SBuf::isEmpty(), Ssl::MaybeSetupRsaCallback(), Security::PeerOptions::parsedFlags, Security::SetSessionCacheCallbacks(), SquidConfig::SSL, ssl_ctx_ex_index_dont_verify_domain, SSL_FLAG_DONT_VERIFY_DOMAIN, SSL_FLAG_NO_SESSION_REUSE, Security::PeerOptions::sslCipher, SquidConfig::unclean_shutdown, Security::PeerOptions::updateContextCa(), updateContextClientCa(), updateContextEecdh(), Security::PeerOptions::updateContextOptions(), and updateContextSessionId().
Referenced by clear(), Ssl::createSSLContext(), and createStaticServerContext().
◆ updateContextCrl()
|
inherited |
Definition at line 682 of file PeerOptions.cc.
References debugs, i, Security::PeerOptions::parsedCrl, Security::PeerOptions::parsedFlags, SSL_FLAG_VERIFY_CRL, and SSL_FLAG_VERIFY_CRL_ALL.
Referenced by Security::PeerOptions::clear(), Security::PeerOptions::createClientContext(), and updateContextClientCa().
◆ updateContextEecdh()
| void Security::ServerOptions::updateContextEecdh | ( | Security::ContextPointer & | ctx | ) |
Definition at line 452 of file ServerOptions.cc.
References SBuf::c_str(), DBG_CRITICAL, debugs, eecdhCurve, Security::ErrorString(), Security::LockingPointer< T, UnLocker, Locker >::get(), SBuf::isEmpty(), and parsedDhParams.
Referenced by clear(), and updateContextConfig().
◆ updateContextNpn()
|
inherited |
Definition at line 615 of file PeerOptions.cc.
References Security::PeerOptions::flags, and Security::PeerOptions::flags_::tlsNpn.
Referenced by Security::PeerOptions::clear(), and Security::PeerOptions::createClientContext().
◆ updateContextOptions()
|
inherited |
Definition at line 594 of file PeerOptions.cc.
References arg, and Security::PeerOptions::parsedOptions.
Referenced by Security::PeerOptions::clear(), Security::PeerOptions::createClientContext(), and updateContextConfig().
◆ updateContextSessionId()
| void Security::ServerOptions::updateContextSessionId | ( | Security::ContextPointer & | ctx | ) |
Definition at line 493 of file ServerOptions.cc.
References SBuf::isEmpty(), SBuf::length(), SBuf::rawContent(), and staticContextSessionId.
Referenced by clear(), and updateContextConfig().
◆ updateContextTrust()
|
inherited |
Definition at line 707 of file PeerOptions.cc.
References assert, DBG_IMPORTANT, debugs, and Security::ErrorString().
Referenced by Security::PeerOptions::clear(), Security::PeerOptions::createClientContext(), and updateContextClientCa().
◆ updateSessionOptions()
|
inherited |
Definition at line 724 of file PeerOptions.cc.
References DBG_IMPORTANT, debugs, Security::ErrorString(), Security::PeerOptions::parsedOptions, and Security::PeerOptions::sslOptions.
Referenced by Security::PeerOptions::clear(), and CreateSession().
◆ updateTlsVersionLimits()
|
inherited |
Definition at line 150 of file PeerOptions.cc.
References SBuf::append(), SBuf::chop(), DBG_PARSE_NOTE, debugs, Parser::Tokenizer::int64(), SBuf::isEmpty(), Security::PeerOptions::parsedOptions, Parser::Tokenizer::skip(), Security::PeerOptions::sslOptions, Security::PeerOptions::sslVersion, and Security::PeerOptions::tlsMinVersion.
Referenced by Security::PeerOptions::clear(), Security::PeerOptions::createClientContext(), and createStaticServerContext().
Member Data Documentation
◆ caDir
|
inherited |
Definition at line 76 of file PeerOptions.h.
Referenced by Security::PeerOptions::dumpCfg(), Security::PeerOptions::parse(), and Security::PeerOptions::updateContextCa().
◆ caFiles
|
inherited |
Definition at line 89 of file PeerOptions.h.
Referenced by Security::PeerOptions::dumpCfg(), Security::PeerOptions::parse(), syncCaFiles(), and Security::PeerOptions::updateContextCa().
◆ certs
|
inherited |
Definition at line 88 of file PeerOptions.h.
Referenced by createSigningContexts(), createStaticServerContext(), Security::PeerOptions::dumpCfg(), Ssl::InitClientContext(), initServerContexts(), and Security::PeerOptions::parse().
◆ clientCaFile
|
private |
Definition at line 107 of file ServerOptions.h.
Referenced by loadClientCaFile(), operator=(), parse(), and syncCaFiles().
◆ clientCaStack
|
private |
Definition at line 110 of file ServerOptions.h.
Referenced by loadClientCaFile(), operator=(), and updateContextClientCa().
◆ crlFile
|
inherited |
Definition at line 77 of file PeerOptions.h.
Referenced by Security::PeerOptions::dumpCfg(), Security::PeerOptions::loadCrlFile(), and Security::PeerOptions::parse().
◆ dh
|
private |
Definition at line 115 of file ServerOptions.h.
Referenced by dumpCfg(), operator=(), and parse().
◆ dhParamsFile
|
private |
Definition at line 116 of file ServerOptions.h.
Referenced by loadDhParams(), operator=(), and parse().
◆ dynamicCertMemCacheSize
| size_t Security::ServerOptions::dynamicCertMemCacheSize = 4*1024*1024 |
Definition at line 91 of file ServerOptions.h.
Referenced by dumpCfg(), operator=(), and parse().
◆ eecdhCurve
|
private |
Definition at line 117 of file ServerOptions.h.
Referenced by operator=(), parse(), and updateContextEecdh().
◆ encryptTransport
|
inherited |
Definition at line 128 of file PeerOptions.h.
Referenced by dumpCfg(), Security::PeerOptions::dumpCfg(), Adaptation::Config::dumpService(), Adaptation::Icap::ServiceRep::finalize(), Security::BlindPeerConnector::getTlsContext(), PeerPoolMgr::handleOpenedConnection(), Security::BlindPeerConnector::initialize(), netdbExchangeStart(), Adaptation::ServiceConfig::parse(), Security::PeerOptions::parse(), parse(), peerDigestRequest(), and FwdState::secureConnectionToPeerIfNeeded().
◆ flags
|
protectedinherited |
◆ generateHostCertificates
| bool Security::ServerOptions::generateHostCertificates = true |
Definition at line 75 of file ServerOptions.h.
Referenced by dumpCfg(), initServerContexts(), operator=(), and parse().
◆ parsedCrl
|
inherited |
Definition at line 90 of file PeerOptions.h.
Referenced by Security::PeerOptions::loadCrlFile(), and Security::PeerOptions::updateContextCrl().
◆ parsedDhParams
|
private |
Definition at line 119 of file ServerOptions.h.
Referenced by loadDhParams(), operator=(), and updateContextEecdh().
◆ parsedFlags
|
inherited |
Definition at line 86 of file PeerOptions.h.
Referenced by Security::PeerOptions::createClientContext(), Security::PeerOptions::parse(), updateContextClientCa(), updateContextConfig(), and Security::PeerOptions::updateContextCrl().
◆ parsedOptions
|
inherited |
Definition at line 85 of file PeerOptions.h.
Referenced by Ssl::PeekingPeerConnector::initialize(), Security::PeerOptions::parseOptions(), Security::PeerOptions::updateContextOptions(), Security::PeerOptions::updateSessionOptions(), and Security::PeerOptions::updateTlsVersionLimits().
◆ signingCa
| Security::KeyData Security::ServerOptions::signingCa |
Definition at line 87 of file ServerOptions.h.
Referenced by Ssl::chainCertificatesToSSLContext(), createSigningContexts(), and operator=().
◆ sslCipher
|
inherited |
Definition at line 79 of file PeerOptions.h.
Referenced by Security::PeerOptions::dumpCfg(), Ssl::InitClientContext(), Security::PeerOptions::parse(), and updateContextConfig().
◆ sslDomain
|
inherited |
Definition at line 81 of file PeerOptions.h.
Referenced by Adaptation::ServiceConfig::grokUri(), Security::BlindPeerConnector::initialize(), and Security::PeerOptions::parse().
◆ sslFlags
|
inherited |
Definition at line 80 of file PeerOptions.h.
Referenced by Security::PeerOptions::dumpCfg(), Security::PeerOptions::parse(), and Security::PeerOptions::parseFlags().
◆ sslOptions
|
inherited |
Definition at line 75 of file PeerOptions.h.
Referenced by Security::PeerOptions::dumpCfg(), Security::PeerOptions::parse(), Security::PeerOptions::parseOptions(), Security::PeerOptions::updateSessionOptions(), and Security::PeerOptions::updateTlsVersionLimits().
◆ sslVersion
|
protectedinherited |
Definition at line 111 of file PeerOptions.h.
Referenced by Security::PeerOptions::parse(), and Security::PeerOptions::updateTlsVersionLimits().
◆ staticContext
| Security::ContextPointer Security::ServerOptions::staticContext |
Definition at line 71 of file ServerOptions.h.
Referenced by createStaticServerContext().
◆ staticContextSessionId
| SBuf Security::ServerOptions::staticContextSessionId |
Definition at line 72 of file ServerOptions.h.
Referenced by dumpCfg(), operator=(), parse(), and updateContextSessionId().
◆ tlsMinVersion
|
inherited |
Definition at line 83 of file PeerOptions.h.
Referenced by Security::PeerOptions::parse(), and Security::PeerOptions::updateTlsVersionLimits().
◆ untrustedSigningCa
| Security::KeyData Security::ServerOptions::untrustedSigningCa |
Definition at line 88 of file ServerOptions.h.
Referenced by createSigningContexts(), and operator=().
The documentation for this class was generated from the following files:
- src/security/ServerOptions.h
- src/security/ServerOptions.cc