TLS squid.conf settings for a listening port. More...

#include <ServerOptions.h>

Inheritance diagram for Security::ServerOptions:
Collaboration diagram for Security::ServerOptions:

Public Types

typedef std::unique_ptr< STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper > X509_NAME_STACK_Pointer

Public Member Functions

 sk_dtor_wrapper (sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free)
 ServerOptions ()
 ServerOptions (const ServerOptions &o)
ServerOptionsoperator= (const ServerOptions &)
 ServerOptions (ServerOptions &&o)
ServerOptionsoperator= (ServerOptions &&o)
virtual ~ServerOptions ()=default
virtual void parse (const char *)
 parse a TLS squid.conf option More...
virtual void clear ()
 reset the configuration details to default More...
virtual Security::ContextPointer createBlankContext () const
 generate an unset security context object More...
virtual void dumpCfg (Packable *, const char *pfx) const
 output squid.conf syntax with 'pfx' prefix on parameters for the stored settings More...
void initServerContexts (AnyP::PortCfg &)
bool updateContextConfig (Security::ContextPointer &)
 update the given TLS security context using squid.conf settings More...
void updateContextEecdh (Security::ContextPointer &)
 update the context with DH, EDH, EECDH settings More...
void updateContextClientCa (Security::ContextPointer &)
 update the context with CA details used to verify client certificates More...
void updateContextSessionId (Security::ContextPointer &)
 update the context with a configured session ID (if any) More...
void syncCaFiles ()
 sync the various sources of CA files to be loaded More...
void parseOptions ()
 parse and verify the [tls-]options= string in sslOptions More...
Security::ContextPointer createClientContext (bool setOptions)
 generate a security client-context from these configured options More...
void updateTlsVersionLimits ()
 sync the context options with tls-min-version=N configuration More...
void updateContextOptions (Security::ContextPointer &)
 Setup the library specific 'options=' parameters for the given context. More...
void updateContextNpn (Security::ContextPointer &)
 setup the NPN extension details for the given context More...
void updateContextCa (Security::ContextPointer &)
 setup the CA details for the given context More...
void updateContextCrl (Security::ContextPointer &)
 setup the CRL details for the given context More...
void updateContextTrust (Security::ContextPointer &)
 decide which CAs to trust More...
void updateSessionOptions (Security::SessionPointer &)
 setup any library-specific options that can be set for the given session More...

Public Attributes

Security::ContextPointer staticContext
 TLS context to use for HTTPS accelerator or static SSL-Bump. More...
SBuf staticContextSessionId
 "session id context" for staticContext More...
bool generateHostCertificates = true
 dynamically make host cert More...
Security::KeyData signingCa
 x509 certificate and key for signing generated certificates More...
Security::KeyData untrustedSigningCa
 x509 certificate and key for signing untrusted generated certificates More...
size_t dynamicCertMemCacheSize = 4*1024*1024
 max size of generated certificates memory cache (4 MB default) More...
SBuf sslOptions
 library-specific options string More...
SBuf caDir
 path of directory containing a set of trusted Certificate Authorities More...
SBuf crlFile
 path of file containing Certificate Revoke List More...
SBuf sslCipher
SBuf sslFlags
 flags defining what TLS operations Squid performs More...
SBuf sslDomain
SBuf tlsMinVersion
 version label for minimum TLS version to permit More...
long parsedFlags = 0
 parsed value of sslFlags More...
std::list< Security::KeyDatacerts
 details from the cert= and file= config parameters More...
std::list< SBufcaFiles
 paths of files containing trusted Certificate Authority More...
Security::CertRevokeList parsedCrl
 CRL to use when verifying the remote end certificate. More...
bool encryptTransport = false
 whether transport encryption (TLS/SSL) is to be used on connections to the peer More...

Protected Member Functions

template<typename T >
Security::ContextPointer convertContextFromRawPtr (T ctx) const

Protected Attributes

int sslVersion = 0
struct Security::PeerOptions::flags_ flags

Private Member Functions

bool loadClientCaFile ()
void loadDhParams ()
bool createStaticServerContext (AnyP::PortCfg &)
void createSigningContexts (const AnyP::PortCfg &)

Private Attributes

SBuf clientCaFile
 name of file to load client CAs from More...
X509_NAME_STACK_Pointer clientCaStack
 CA certificate(s) to use when verifying client certificates. More...
SBuf dh
 Diffi-Helman cipher config. More...
SBuf dhParamsFile
 Diffi-Helman ciphers parameter file. More...
SBuf eecdhCurve
 Elliptic curve for ephemeral EC-based DH key exchanges. More...
Security::DhePointer parsedDhParams
 DH parameters for temporary/ephemeral DH key exchanges. More...

Detailed Description

Definition at line 25 of file ServerOptions.h.

Member Typedef Documentation

◆ X509_NAME_STACK_Pointer

typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> Security::ServerOptions::X509_NAME_STACK_Pointer

Definition at line 30 of file ServerOptions.h.

Constructor & Destructor Documentation

◆ ServerOptions() [1/3]

Security::ServerOptions::ServerOptions ( )

◆ ServerOptions() [2/3]

Security::ServerOptions::ServerOptions ( const ServerOptions o)

Definition at line 38 of file ServerOptions.h.

References operator=().

◆ ServerOptions() [3/3]

Security::ServerOptions::ServerOptions ( ServerOptions &&  o)

Definition at line 40 of file ServerOptions.h.

References operator=().

◆ ~ServerOptions()

virtual Security::ServerOptions::~ServerOptions ( )

Referenced by operator=().

Member Function Documentation

◆ clear()

virtual void Security::ServerOptions::clear ( )

◆ convertContextFromRawPtr()

template<typename T >
Security::ContextPointer Security::PeerOptions::convertContextFromRawPtr ( ctx) const

Definition at line 108 of file PeerOptions.h.

References assert, debugs, and p.

Referenced by Security::PeerOptions::createBlankContext(), and createBlankContext().

◆ createBlankContext()

Security::ContextPointer Security::ServerOptions::createBlankContext ( ) const

◆ createClientContext()

◆ createSigningContexts()

void Security::ServerOptions::createSigningContexts ( const AnyP::PortCfg port)

◆ createStaticServerContext()

bool Security::ServerOptions::createStaticServerContext ( AnyP::PortCfg port)

generate a security server-context from these configured options the resulting context is stored in staticContext

true if a context could be created

Definition at line 207 of file

References SBuf::append(), SBuf::appendf(), Security::PeerOptions::certs, createBlankContext(), DBG_CRITICAL, DBG_IMPORTANT, debugs, error(), Security::ErrorString(), keys, loadClientCaFile(), staticContext, updateContextConfig(), and Security::PeerOptions::updateTlsVersionLimits().

Referenced by initServerContexts().

◆ dumpCfg()

void Security::ServerOptions::dumpCfg ( Packable p,
const char *  pfx 
) const

◆ initServerContexts()

void Security::ServerOptions::initServerContexts ( AnyP::PortCfg port)

initialize all server contexts as-needed and load PEM files. if none can be created this may do nothing.

Definition at line 186 of file

References buf, Security::PeerOptions::certs, createSigningContexts(), createStaticServerContext(), fatalf(), generateHostCertificates, AnyP::ProtocolVersion::protocol, AnyP::ProtocolType_str, AnyP::PortCfg::s, Ip::Address::toUrl(), and AnyP::PortCfg::transport.

Referenced by clear().

◆ loadClientCaFile()

bool Security::ServerOptions::loadClientCaFile ( )

load clientca= file (if any) into memory.

Return values
trueclientca is not set, or loaded successfully
falseunable to load the file, or not using OpenSSL

Definition at line 331 of file

References SBuf::c_str(), clientCaFile, clientCaStack, DBG_CRITICAL, debugs, and SBuf::isEmpty().

Referenced by createStaticServerContext().

◆ loadDhParams()

void Security::ServerOptions::loadDhParams ( )

◆ operator=() [1/2]

◆ operator=() [2/2]

ServerOptions& Security::ServerOptions::operator= ( ServerOptions &&  o)

Definition at line 41 of file ServerOptions.h.

References operator=(), parse(), and ~ServerOptions().

◆ parse()

◆ parseOptions()

◆ sk_dtor_wrapper()

Security::ServerOptions::sk_dtor_wrapper ( sk_X509_NAME  ,
STACK_OF(X509_NAME) *  ,

◆ syncCaFiles()

void Security::ServerOptions::syncCaFiles ( )

Definition at line 316 of file

References Security::PeerOptions::caFiles, clientCaFile, and SBuf::isEmpty().

Referenced by clear().

◆ updateContextCa()

◆ updateContextClientCa()

◆ updateContextConfig()

◆ updateContextCrl()

◆ updateContextEecdh()

◆ updateContextNpn()

void Security::PeerOptions::updateContextNpn ( Security::ContextPointer ctx)

◆ updateContextOptions()

void Security::PeerOptions::updateContextOptions ( Security::ContextPointer ctx)

◆ updateContextSessionId()

void Security::ServerOptions::updateContextSessionId ( Security::ContextPointer ctx)

◆ updateContextTrust()

void Security::PeerOptions::updateContextTrust ( Security::ContextPointer ctx)

◆ updateSessionOptions()

◆ updateTlsVersionLimits()

Member Data Documentation

◆ caDir

SBuf Security::PeerOptions::caDir

◆ caFiles

std::list<SBuf> Security::PeerOptions::caFiles

◆ certs

◆ clientCaFile

SBuf Security::ServerOptions::clientCaFile

Definition at line 107 of file ServerOptions.h.

Referenced by loadClientCaFile(), operator=(), parse(), and syncCaFiles().

◆ clientCaStack

X509_NAME_STACK_Pointer Security::ServerOptions::clientCaStack

Definition at line 110 of file ServerOptions.h.

Referenced by loadClientCaFile(), operator=(), and updateContextClientCa().

◆ crlFile

SBuf Security::PeerOptions::crlFile

◆ dh

SBuf Security::ServerOptions::dh

Definition at line 115 of file ServerOptions.h.

Referenced by dumpCfg(), operator=(), and parse().

◆ dhParamsFile

SBuf Security::ServerOptions::dhParamsFile

Definition at line 116 of file ServerOptions.h.

Referenced by loadDhParams(), operator=(), and parse().

◆ dynamicCertMemCacheSize

size_t Security::ServerOptions::dynamicCertMemCacheSize = 4*1024*1024

Definition at line 91 of file ServerOptions.h.

Referenced by dumpCfg(), operator=(), and parse().

◆ eecdhCurve

SBuf Security::ServerOptions::eecdhCurve

Definition at line 117 of file ServerOptions.h.

Referenced by operator=(), parse(), and updateContextEecdh().

◆ encryptTransport

◆ flags

◆ generateHostCertificates

bool Security::ServerOptions::generateHostCertificates = true

Definition at line 75 of file ServerOptions.h.

Referenced by dumpCfg(), initServerContexts(), operator=(), and parse().

◆ parsedCrl

Security::CertRevokeList Security::PeerOptions::parsedCrl

◆ parsedDhParams

Security::DhePointer Security::ServerOptions::parsedDhParams

Definition at line 119 of file ServerOptions.h.

Referenced by loadDhParams(), operator=(), and updateContextEecdh().

◆ parsedFlags

◆ signingCa

Security::KeyData Security::ServerOptions::signingCa

◆ sslCipher

SBuf Security::PeerOptions::sslCipher

◆ sslDomain

SBuf Security::PeerOptions::sslDomain

◆ sslFlags

SBuf Security::PeerOptions::sslFlags

◆ sslOptions

◆ sslVersion

int Security::PeerOptions::sslVersion = 0

◆ staticContext

Security::ContextPointer Security::ServerOptions::staticContext

Definition at line 71 of file ServerOptions.h.

Referenced by createStaticServerContext().

◆ staticContextSessionId

SBuf Security::ServerOptions::staticContextSessionId

Definition at line 72 of file ServerOptions.h.

Referenced by dumpCfg(), operator=(), parse(), and updateContextSessionId().

◆ tlsMinVersion

SBuf Security::PeerOptions::tlsMinVersion

◆ untrustedSigningCa

Security::KeyData Security::ServerOptions::untrustedSigningCa

Definition at line 88 of file ServerOptions.h.

Referenced by createSigningContexts(), and operator=().

The documentation for this class was generated from the following files:






Web Site Translations