TLS squid.conf settings for a listening port. More...

#include <ServerOptions.h>

Inheritance diagram for Security::ServerOptions:
Collaboration diagram for Security::ServerOptions:

Public Types

typedef std::unique_ptr< STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper > X509_NAME_STACK_Pointer
 

Public Member Functions

 sk_dtor_wrapper (sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free)
 
 ServerOptions ()
 
 ServerOptions (const ServerOptions &o)
 
ServerOptionsoperator= (const ServerOptions &)
 
 ServerOptions (ServerOptions &&o)
 
ServerOptionsoperator= (ServerOptions &&o)
 
virtual ~ServerOptions ()=default
 
virtual void parse (const char *)
 parse a TLS squid.conf option More...
 
virtual void clear ()
 reset the configuration details to default More...
 
virtual Security::ContextPointer createBlankContext () const
 generate an unset security context object More...
 
virtual void dumpCfg (Packable *, const char *pfx) const
 output squid.conf syntax with 'pfx' prefix on parameters for the stored settings More...
 
void initServerContexts (AnyP::PortCfg &)
 
bool updateContextConfig (Security::ContextPointer &)
 update the given TLS security context using squid.conf settings More...
 
void updateContextEecdh (Security::ContextPointer &)
 update the context with DH, EDH, EECDH settings More...
 
void updateContextClientCa (Security::ContextPointer &)
 update the context with CA details used to verify client certificates More...
 
void updateContextSessionId (Security::ContextPointer &)
 update the context with a configured session ID (if any) More...
 
void syncCaFiles ()
 sync the various sources of CA files to be loaded More...
 
void parseOptions ()
 parse and verify the [tls-]options= string in sslOptions More...
 
Security::ContextPointer createClientContext (bool setOptions)
 generate a security client-context from these configured options More...
 
void updateTlsVersionLimits ()
 sync the context options with tls-min-version=N configuration More...
 
void updateContextOptions (Security::ContextPointer &)
 Setup the library specific 'options=' parameters for the given context. More...
 
void updateContextNpn (Security::ContextPointer &)
 setup the NPN extension details for the given context More...
 
void updateContextCa (Security::ContextPointer &)
 setup the CA details for the given context More...
 
void updateContextCrl (Security::ContextPointer &)
 setup the CRL details for the given context More...
 
void updateContextTrust (Security::ContextPointer &)
 decide which CAs to trust More...
 
void updateSessionOptions (Security::SessionPointer &)
 setup any library-specific options that can be set for the given session More...
 

Public Attributes

Security::ContextPointer staticContext
 TLS context to use for HTTPS accelerator or static SSL-Bump. More...
 
SBuf staticContextSessionId
 "session id context" for staticContext More...
 
bool generateHostCertificates = true
 dynamically make host cert More...
 
Security::KeyData signingCa
 x509 certificate and key for signing generated certificates More...
 
Security::KeyData untrustedSigningCa
 x509 certificate and key for signing untrusted generated certificates More...
 
size_t dynamicCertMemCacheSize = 4*1024*1024
 max size of generated certificates memory cache (4 MB default) More...
 
SBuf sslOptions
 library-specific options string More...
 
SBuf caDir
 path of directory containing a set of trusted Certificate Authorities More...
 
SBuf crlFile
 path of file containing Certificate Revoke List More...
 
SBuf sslCipher
 
SBuf sslFlags
 flags defining what TLS operations Squid performs More...
 
SBuf sslDomain
 
SBuf tlsMinVersion
 version label for minimum TLS version to permit More...
 
ParsedPortFlags parsedFlags = 0
 parsed value of sslFlags More...
 
std::list< Security::KeyDatacerts
 details from the cert= and file= config parameters More...
 
std::list< SBufcaFiles
 paths of files containing trusted Certificate Authority More...
 
Security::CertRevokeList parsedCrl
 CRL to use when verifying the remote end certificate. More...
 
bool encryptTransport = false
 whether transport encryption (TLS/SSL) is to be used on connections to the peer More...
 

Protected Member Functions

template<typename T >
Security::ContextPointer convertContextFromRawPtr (T ctx) const
 

Protected Attributes

int sslVersion = 0
 
struct Security::PeerOptions::flags_ flags
 

Private Member Functions

bool loadClientCaFile ()
 
void loadDhParams ()
 
bool createStaticServerContext (AnyP::PortCfg &)
 
void createSigningContexts (const AnyP::PortCfg &)
 
ParsedPortFlags parseFlags ()
 
void loadCrlFile ()
 
void loadKeysFile ()
 

Private Attributes

SBuf clientCaFile
 name of file to load client CAs from More...
 
X509_NAME_STACK_Pointer clientCaStack
 CA certificate(s) to use when verifying client certificates. More...
 
SBuf dh
 Diffi-Helman cipher config. More...
 
SBuf dhParamsFile
 Diffi-Helman ciphers parameter file. More...
 
SBuf eecdhCurve
 Elliptic curve for ephemeral EC-based DH key exchanges. More...
 
Security::DhePointer parsedDhParams
 DH parameters for temporary/ephemeral DH key exchanges. More...
 
SBuf tlsMinOptions
 
Security::ParsedOptions parsedOptions
 
bool optsReparse = true
 whether parsedOptions content needs to be regenerated More...
 

Detailed Description

Definition at line 25 of file ServerOptions.h.

Member Typedef Documentation

◆ X509_NAME_STACK_Pointer

typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> Security::ServerOptions::X509_NAME_STACK_Pointer

Definition at line 30 of file ServerOptions.h.

Constructor & Destructor Documentation

◆ ServerOptions() [1/3]

Security::ServerOptions::ServerOptions ( )
inline

◆ ServerOptions() [2/3]

Security::ServerOptions::ServerOptions ( const ServerOptions o)
inline

Definition at line 38 of file ServerOptions.h.

◆ ServerOptions() [3/3]

Security::ServerOptions::ServerOptions ( ServerOptions &&  o)
inline

Definition at line 40 of file ServerOptions.h.

References operator=().

◆ ~ServerOptions()

virtual Security::ServerOptions::~ServerOptions ( )
virtualdefault

Member Function Documentation

◆ clear()

virtual void Security::ServerOptions::clear ( )
inlinevirtual

Reimplemented from Security::PeerOptions.

Definition at line 46 of file ServerOptions.h.

References ServerOptions().

◆ convertContextFromRawPtr()

template<typename T >
Security::ContextPointer Security::PeerOptions::convertContextFromRawPtr ( ctx) const
inlineprotectedinherited

Definition at line 109 of file PeerOptions.h.

References assert, and debugs.

◆ createBlankContext()

Security::ContextPointer Security::ServerOptions::createBlankContext ( ) const
virtual

Reimplemented from Security::PeerOptions.

Definition at line 156 of file ServerOptions.cc.

References DBG_CRITICAL, debugs, Security::ErrorString(), Ssl::Initialize(), and TLS_server_method.

Referenced by Ssl::createSSLContext().

◆ createClientContext()

Security::ContextPointer Security::PeerOptions::createClientContext ( bool  setOptions)
inherited

Definition at line 271 of file PeerOptions.cc.

References Ssl::InitClientContext().

Referenced by configDoConfigure().

◆ createSigningContexts()

void Security::ServerOptions::createSigningContexts ( const AnyP::PortCfg port)
private

initialize contexts for signing dynamic TLS certificates (if needed) the resulting keys are stored in signingCa and untrustedSigningCa

Definition at line 278 of file ServerOptions.cc.

References buf, DBG_CRITICAL, DBG_IMPORTANT, debugs, fatalf(), Ssl::generateUntrustedCert(), port, and AnyP::ProtocolType_str.

◆ createStaticServerContext()

bool Security::ServerOptions::createStaticServerContext ( AnyP::PortCfg port)
private

generate a security server-context from these configured options the resulting context is stored in staticContext

Returns
true if a context could be created

Definition at line 207 of file ServerOptions.cc.

References SBuf::append(), SBuf::appendf(), DBG_CRITICAL, DBG_IMPORTANT, debugs, error(), Security::ErrorString(), and keys.

◆ dumpCfg()

void Security::ServerOptions::dumpCfg ( Packable p,
const char *  pfx 
) const
virtual

◆ initServerContexts()

void Security::ServerOptions::initServerContexts ( AnyP::PortCfg port)

initialize all server contexts as-needed and load PEM files. if none can be created this may do nothing.

Definition at line 186 of file ServerOptions.cc.

References buf, fatalf(), port, and AnyP::ProtocolType_str.

◆ loadClientCaFile()

bool Security::ServerOptions::loadClientCaFile ( )
private

load clientca= file (if any) into memory.

Return values
trueclientca is not set, or loaded successfully
falseunable to load the file, or not using OpenSSL

Definition at line 331 of file ServerOptions.cc.

References DBG_CRITICAL, and debugs.

◆ loadCrlFile()

void Security::PeerOptions::loadCrlFile ( )
privateinherited

Load a CRLs list stored in the file whose /path/name is in crlFile replaces any CRL loaded previously

Definition at line 609 of file PeerOptions.cc.

References debugs, and NULL.

◆ loadDhParams()

void Security::ServerOptions::loadDhParams ( )
private

Definition at line 348 of file ServerOptions.cc.

References DBG_IMPORTANT, debugs, and NULL.

◆ loadKeysFile()

void Security::PeerOptions::loadKeysFile ( )
privateinherited

◆ operator=() [1/2]

◆ operator=() [2/2]

ServerOptions& Security::ServerOptions::operator= ( ServerOptions &&  o)
inline

Definition at line 41 of file ServerOptions.h.

References operator=().

◆ parse()

void Security::ServerOptions::parse ( const char *  token)
virtual

◆ parseFlags()

◆ parseOptions()

void Security::PeerOptions::parseOptions ( )
inherited

Pre-parse TLS options= parameter to be applied when the TLS objects created. Options must not used in the case of peek or stare bump mode.

Definition at line 442 of file PeerOptions.cc.

References CharacterSet::ALPHA, SBuf::append(), Parser::Tokenizer::atEnd(), SBuf::c_str(), SBuf::cmp(), DBG_PARSE_NOTE, debugs, CharacterSet::DIGIT, Security::ErrorString(), fatalf(), Parser::Tokenizer::int64(), SBuf::isEmpty(), ssl_option::name, SQUIDSBUFPH, SQUIDSBUFPRINT, and ssl_options.

Referenced by parse_peer(), parse_securePeerOptions(), and Security::PeerOptions::PeerOptions().

◆ sk_dtor_wrapper()

Security::ServerOptions::sk_dtor_wrapper ( sk_X509_NAME  ,
STACK_OF(X509_NAME) *  ,
X509_NAME_free   
)

◆ syncCaFiles()

void Security::ServerOptions::syncCaFiles ( )

Definition at line 316 of file ServerOptions.cc.

◆ updateContextCa()

void Security::PeerOptions::updateContextCa ( Security::ContextPointer ctx)
inherited

Definition at line 683 of file PeerOptions.cc.

References DBG_IMPORTANT, debugs, Security::ErrorString(), and loadSystemTrustedCa().

◆ updateContextClientCa()

void Security::ServerOptions::updateContextClientCa ( Security::ContextPointer ctx)

◆ updateContextConfig()

◆ updateContextCrl()

void Security::PeerOptions::updateContextCrl ( Security::ContextPointer ctx)
inherited

Definition at line 719 of file PeerOptions.cc.

References debugs, SSL_FLAG_VERIFY_CRL, and SSL_FLAG_VERIFY_CRL_ALL.

◆ updateContextEecdh()

void Security::ServerOptions::updateContextEecdh ( Security::ContextPointer ctx)

Definition at line 445 of file ServerOptions.cc.

References DBG_CRITICAL, debugs, and Security::ErrorString().

◆ updateContextNpn()

void Security::PeerOptions::updateContextNpn ( Security::ContextPointer ctx)
inherited

Definition at line 652 of file PeerOptions.cc.

◆ updateContextOptions()

void Security::PeerOptions::updateContextOptions ( Security::ContextPointer ctx)
inherited

Definition at line 630 of file PeerOptions.cc.

◆ updateContextSessionId()

void Security::ServerOptions::updateContextSessionId ( Security::ContextPointer ctx)

Definition at line 486 of file ServerOptions.cc.

◆ updateContextTrust()

void Security::PeerOptions::updateContextTrust ( Security::ContextPointer ctx)
inherited

Definition at line 744 of file PeerOptions.cc.

References assert, DBG_IMPORTANT, debugs, and Security::ErrorString().

◆ updateSessionOptions()

void Security::PeerOptions::updateSessionOptions ( Security::SessionPointer s)
inherited

◆ updateTlsVersionLimits()

void Security::PeerOptions::updateTlsVersionLimits ( )
inherited

Definition at line 153 of file PeerOptions.cc.

References SBuf::append(), SBuf::chop(), DBG_PARSE_NOTE, and debugs.

Member Data Documentation

◆ caDir

SBuf Security::PeerOptions::caDir
inherited

Definition at line 79 of file PeerOptions.h.

◆ caFiles

std::list<SBuf> Security::PeerOptions::caFiles
inherited

Definition at line 104 of file PeerOptions.h.

◆ certs

std::list<Security::KeyData> Security::PeerOptions::certs
inherited

Definition at line 103 of file PeerOptions.h.

Referenced by Ssl::InitClientContext().

◆ clientCaFile

SBuf Security::ServerOptions::clientCaFile
private

Definition at line 107 of file ServerOptions.h.

Referenced by operator=().

◆ clientCaStack

X509_NAME_STACK_Pointer Security::ServerOptions::clientCaStack
private

Definition at line 110 of file ServerOptions.h.

Referenced by operator=().

◆ crlFile

SBuf Security::PeerOptions::crlFile
inherited

Definition at line 80 of file PeerOptions.h.

◆ dh

SBuf Security::ServerOptions::dh
private

Definition at line 115 of file ServerOptions.h.

Referenced by operator=().

◆ dhParamsFile

SBuf Security::ServerOptions::dhParamsFile
private

Definition at line 116 of file ServerOptions.h.

Referenced by operator=().

◆ dynamicCertMemCacheSize

size_t Security::ServerOptions::dynamicCertMemCacheSize = 4*1024*1024

Definition at line 91 of file ServerOptions.h.

Referenced by operator=().

◆ eecdhCurve

SBuf Security::ServerOptions::eecdhCurve
private

Definition at line 117 of file ServerOptions.h.

Referenced by operator=().

◆ encryptTransport

◆ flags

struct Security::PeerOptions::flags_ Security::PeerOptions::flags
protectedinherited

Referenced by ServerOptions().

◆ generateHostCertificates

bool Security::ServerOptions::generateHostCertificates = true

Definition at line 75 of file ServerOptions.h.

Referenced by operator=().

◆ optsReparse

bool Security::PeerOptions::optsReparse = true
privateinherited

Definition at line 98 of file PeerOptions.h.

◆ parsedCrl

Security::CertRevokeList Security::PeerOptions::parsedCrl
inherited

Definition at line 105 of file PeerOptions.h.

◆ parsedDhParams

Security::DhePointer Security::ServerOptions::parsedDhParams
private

Definition at line 119 of file ServerOptions.h.

Referenced by operator=().

◆ parsedFlags

ParsedPortFlags Security::PeerOptions::parsedFlags = 0
inherited

Definition at line 101 of file PeerOptions.h.

◆ parsedOptions

Security::ParsedOptions Security::PeerOptions::parsedOptions
privateinherited

Parsed value of sslOptions + tlsMinOptions settings. Set optsReparse=true to have this re-parsed before next use.

Definition at line 95 of file PeerOptions.h.

◆ signingCa

Security::KeyData Security::ServerOptions::signingCa

Definition at line 87 of file ServerOptions.h.

Referenced by Ssl::chainCertificatesToSSLContext(), and operator=().

◆ sslCipher

SBuf Security::PeerOptions::sslCipher
inherited

Definition at line 82 of file PeerOptions.h.

Referenced by Ssl::InitClientContext().

◆ sslDomain

SBuf Security::PeerOptions::sslDomain
inherited

Definition at line 84 of file PeerOptions.h.

Referenced by Security::BlindPeerConnector::initialize().

◆ sslFlags

SBuf Security::PeerOptions::sslFlags
inherited

Definition at line 83 of file PeerOptions.h.

◆ sslOptions

SBuf Security::PeerOptions::sslOptions
inherited

Definition at line 78 of file PeerOptions.h.

◆ sslVersion

int Security::PeerOptions::sslVersion = 0
protectedinherited

Definition at line 128 of file PeerOptions.h.

◆ staticContext

Security::ContextPointer Security::ServerOptions::staticContext

Definition at line 71 of file ServerOptions.h.

◆ staticContextSessionId

SBuf Security::ServerOptions::staticContextSessionId

Definition at line 72 of file ServerOptions.h.

Referenced by operator=().

◆ tlsMinOptions

SBuf Security::PeerOptions::tlsMinOptions
privateinherited

Library-specific options string generated from tlsMinVersion. Call updateTlsVersionLimits() to regenerate this string.

Definition at line 91 of file PeerOptions.h.

◆ tlsMinVersion

SBuf Security::PeerOptions::tlsMinVersion
inherited

Definition at line 86 of file PeerOptions.h.

◆ untrustedSigningCa

Security::KeyData Security::ServerOptions::untrustedSigningCa

Definition at line 88 of file ServerOptions.h.

Referenced by operator=().


The documentation for this class was generated from the following files:

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors