Collaboration diagram for Server-Side SSL API:


 Server-Side SSL Internals


typedef char const * Ssl::GETX509ATTRIBUTE (X509 *, const char *)


enum  Ssl::BumpMode {
  Ssl::bumpNone = 0,


const char * Ssl::CommonHostName (X509 *x509)
const char * Ssl::getOrganization (X509 *x509)
bool Ssl::CertificatesCmp (const Security::CertPointer &cert1, const Security::CertPointer &cert2)
const char * sslGetUserEmail (SSL *ssl)
const char * sslGetUserAttribute (SSL *ssl, const char *attribute_name)
const char * sslGetCAAttribute (SSL *ssl, const char *attribute_name)
const char * sslGetUserCertificatePEM (SSL *ssl)
const char * sslGetUserCertificateChainPEM (SSL *ssl)
const char * Ssl::bumpMode (int bm)
bool Ssl::generateUntrustedCert (Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
bool Ssl::loadCerts (const char *certsFile, Ssl::CertsIndexedList &list)
bool Ssl::loadSquidUntrusted (const char *path)
void Ssl::unloadSquidUntrusted ()
Security::ContextPointer Ssl::GenerateSslContext (CertificateProperties const &, Security::ServerOptions &, bool trusted)
bool Ssl::verifySslCertificate (Security::ContextPointer &, CertificateProperties const &)
Security::ContextPointer Ssl::GenerateSslContextUsingPkeyAndCertFromMemory (const char *data, Security::ServerOptions &, bool trusted)
Security::ContextPointer Ssl::createSSLContext (Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
 Create SSL context and apply ssl certificate and private key to it. More...
void Ssl::chainCertificatesToSSLContext (Security::ContextPointer &, Security::ServerOptions &)
void Ssl::configureUnconfiguredSslContext (Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
bool Ssl::configureSSL (SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
bool Ssl::configureSSLUsingPkeyAndCertFromMemory (SSL *ssl, const char *data, AnyP::PortCfg &port)
void Ssl::addChainToSslContext (Security::ContextPointer &, Security::CertList &)
void Ssl::useSquidUntrusted (SSL_CTX *sslContext)
void Ssl::readCertChainAndPrivateKeyFromFiles (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, Security::CertList &chain, char const *certFilename, char const *keyFilename)
int Ssl::matchX509CommonNames (X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
bool Ssl::checkX509ServerValidity (X509 *cert, const char *server)
int Ssl::asn1timeToString (ASN1_TIME *tm, char *buf, int len)
bool Ssl::setClientSNI (SSL *ssl, const char *fqdn)
void Ssl::InRamCertificateDbKey (const Ssl::CertificateProperties &certProperties, SBuf &key)
BIO * Ssl::BIO_new_SBuf (SBuf *buf)


GETX509ATTRIBUTE Ssl::GetX509UserAttribute
GETX509ATTRIBUTE Ssl::GetX509CAAttribute
GETX509ATTRIBUTE Ssl::GetX509Fingerprint
std::vector< const char * > Ssl::BumpModeStr

Detailed Description

Typedef Documentation

typedef char const* Ssl::GETX509ATTRIBUTE(X509 *, const char *)

Definition at line 108 of file support.h.

Enumeration Type Documentation

Supported ssl-bump modes


Definition at line 125 of file support.h.

Function Documentation

void Ssl::addChainToSslContext ( Security::ContextPointer ctx,
Security::CertList chain 

Adds the certificates in certList to the certificate chain of the SSL context

Definition at line 946 of file

References DBG_IMPORTANT, debugs, and Security::ErrorString().

Referenced by Ssl::chainCertificatesToSSLContext(), and Ssl::InitServerContext().

int Ssl::asn1timeToString ( ASN1_TIME *  tm,
char *  buf,
int  len 

Convert a given ASN1_TIME to a string form.

tmthe time in ASN1_TIME form
bufthe buffer to write the output
lenwrite at most len bytes
The number of bytes written

Definition at line 158 of file

Referenced by Ssl::ErrorDetail::notafter(), and Ssl::ErrorDetail::notbefore().

BIO * Ssl::BIO_new_SBuf ( SBuf buf)

Creates and returns an OpenSSL BIO object for writing to buf (or throws). TODO: Add support for reading from buf.

Definition at line 1396 of file

References bio_sbuf_create(), bio_sbuf_ctrl(), bio_sbuf_destroy(), bio_sbuf_puts(), bio_sbuf_write(), BIO_set_data(), BIO_set_init(), Must, and NULL.

Referenced by Ssl::InRamCertificateDbKey().

const char* Ssl::bumpMode ( int  bm)
bool Ssl::CertificatesCmp ( const Security::CertPointer &  cert1,
const Security::CertPointer &  cert2 
whether both certificates exist and are the same (e.g., have identical ASN.1 images)

Definition at line 924 of file

References NULL.

Referenced by Ssl::CertificateDb::pure_find().

void Ssl::chainCertificatesToSSLContext ( Security::ContextPointer ctx,
Security::ServerOptions options 
bool Ssl::checkX509ServerValidity ( X509 *  cert,
const char *  server 

Check if the certificate is valid for a server

certThe X509 cert to check.
serverThe server name.
true if the certificate is valid for the server or false otherwise.

Definition at line 231 of file

References check_domain(), and Ssl::matchX509CommonNames().

Referenced by ACLServerNameStrategy::match(), ConnStateData::serveDelayedError(), and ssl_verify_cb().

const char * Ssl::CommonHostName ( X509 *  x509)

Returns CN from the certificate, suitable for use as a host name. Uses static memory to temporary store the extracted name.

Definition at line 913 of file

References getSubjectEntry().

Referenced by Ssl::certificateMatchesProperties(), Ssl::generateUntrustedCert(), Ssl::PeekingPeerConnector::noteNegotiationDone(), and Ssl::PeekingPeerConnector::serverCertificateVerified().

bool Ssl::configureSSL ( SSL *  ssl,
CertificateProperties const &  properties,
AnyP::PortCfg port 

Generates a certificate and a private key using provided properies and set it to SSL object.

Definition at line 859 of file

References Ssl::generateSslCertificate().

Referenced by ConnStateData::getSslContextStart().

bool Ssl::configureSSLUsingPkeyAndCertFromMemory ( SSL *  ssl,
const char *  data,
AnyP::PortCfg port 

Read private key and certificate from memory and set it to SSL object using their.

Definition at line 882 of file

References Ssl::readCertAndPrivateKeyFromMemory().

Referenced by ConnStateData::sslCrtdHandleReply().

void Ssl::configureUnconfiguredSslContext ( Security::ContextPointer ctx,
Ssl::CertSignAlgorithm  signAlgorithm,
AnyP::PortCfg port 

Configure a previously unconfigured SSL context object.

Definition at line 852 of file

References Ssl::algSignTrusted, Ssl::chainCertificatesToSSLContext(), and AnyP::PortCfg::secure.

Referenced by ConnStateData::getSslContextStart(), and ConnStateData::sslCrtdHandleReply().

Security::ContextPointer Ssl::createSSLContext ( Security::CertPointer &  x509,
Security::PrivateKeyPointer &  pkey,
Security::ServerOptions options 
Security::ContextPointer Ssl::GenerateSslContext ( CertificateProperties const &  properties,
Security::ServerOptions options,
bool  trusted 

Decide on the kind of certificate and generate a CA- or self-signed one

Definition at line 822 of file

References Ssl::chainCertificatesToSSLContext(), Ssl::createSSLContext(), and Ssl::generateSslCertificate().

Referenced by ConnStateData::getSslContextStart().

Security::ContextPointer Ssl::GenerateSslContextUsingPkeyAndCertFromMemory ( const char *  data,
Security::ServerOptions options,
bool  trusted 

Read private key and certificate from memory and generate SSL context using their.

Definition at line 808 of file

References Ssl::chainCertificatesToSSLContext(), Ssl::createSSLContext(), and Ssl::readCertAndPrivateKeyFromMemory().

Referenced by ConnStateData::sslCrtdHandleReply().

bool Ssl::generateUntrustedCert ( Security::CertPointer &  untrustedCert,
Security::PrivateKeyPointer &  untrustedPkey,
Security::CertPointer const &  cert,
Security::PrivateKeyPointer const &  pkey 
const char * Ssl::getOrganization ( X509 *  x509)

Returns Organization from the certificate. Uses static memory to temporary store the extracted name.

Definition at line 918 of file

References getSubjectEntry().

Referenced by Ssl::generateUntrustedCert().

bool Ssl::loadCerts ( const char *  certsFile,
Ssl::CertsIndexedList list 

Load PEM-encoded certificates from the given file.

Definition at line 997 of file

References DBG_IMPORTANT, debugs, and NULL.

Referenced by Ssl::loadSquidUntrusted().

bool Ssl::loadSquidUntrusted ( const char *  path)

Load PEM-encoded certificates to the squid untrusteds certificates internal DB from the given file.

Definition at line 1222 of file

References Ssl::loadCerts(), and SquidUntrustedCerts.

Referenced by configDoConfigure().

int Ssl::matchX509CommonNames ( X509 *  peer_cert,
void *  check_data,
int(*)(void *check_data, ASN1_STRING *cn_data)  check_func 

Iterates over the X509 common and alternate names and to see if matches with given data using the check_func.

peer_certThe X509 cert to check
check_dataThe data with which the X509 CNs compared
check_funcThe function used to match X509 CNs. The CN data passed as ASN1_STRING data
1 if any of the certificate CN matches, 0 if none matches.

Definition at line 172 of file

References assert, i, NULL, and STACK_OF().

Referenced by Ssl::checkX509ServerValidity(), Ssl::ErrorDetail::cn(), and ACLServerNameStrategy::match().

void Ssl::readCertChainAndPrivateKeyFromFiles ( Security::CertPointer &  cert,
Security::PrivateKeyPointer &  pkey,
Security::CertList chain,
char const *  certFilename,
char const *  keyFilename 

Read certificate, private key and any certificates which must be chained from files. See also: Ssl::readCertAndPrivateKeyFromFiles function, defined in gadgets.h

certFilenamename of file with certificate and certificates which must be chainned.
keyFilenamename of file with private key.

Definition at line 1269 of file

References DBG_IMPORTANT, debugs, NULL, Ssl::ReadPrivateKeyFromFile(), readSslX509CertificatesChain(), and ssl_ask_password_cb().

Referenced by Security::ServerOptions::createSigningContexts().

bool Ssl::setClientSNI ( SSL *  ssl,
const char *  fqdn 

Sets the hostname for the Server Name Indication (SNI) TLS extension if supported by the used openssl toolkit.

true if SNI set false otherwise

Definition at line 927 of file

References debugs, and Security::ErrorString().

Referenced by Ssl::PeekingPeerConnector::initialize().

const char* sslGetCAAttribute ( SSL *  ssl,
const char *  attribute_name 

Definition at line 694 of file

References Ssl::GetX509CAAttribute, and NULL.

Referenced by Format::Format::assemble().

const char* sslGetUserAttribute ( SSL *  ssl,
const char *  attribute_name 

Definition at line 681 of file

References Ssl::GetX509UserAttribute, and NULL.

Referenced by Format::Format::assemble(), and sslGetUserEmail().

const char* sslGetUserCertificateChainPEM ( SSL *  ssl)

Definition at line 752 of file

References i, len, NULL, safe_free, sslGetUserCertificatePEM(), STACK_OF(), and xmalloc.

const char* sslGetUserCertificatePEM ( SSL *  ssl)

Definition at line 714 of file

References len, NULL, safe_free, and xmalloc.

Referenced by Format::Format::assemble(), and sslGetUserCertificateChainPEM().

const char* sslGetUserEmail ( SSL *  ssl)
void Ssl::unloadSquidUntrusted ( )

Removes all certificates from squid untrusteds certificates internal DB and frees all memory

Definition at line 1228 of file

References SquidUntrustedCerts.

Referenced by configFreeMemory().

void Ssl::useSquidUntrusted ( SSL_CTX *  sslContext)

Configures sslContext to use squid untrusted certificates internal list to complete certificate chains when verifies SSL servers certificates.

Definition at line 1216 of file

References NULL, and untrustedToStoreCtx_cb().

Referenced by configDoConfigure().

bool Ssl::verifySslCertificate ( Security::ContextPointer ctx,
CertificateProperties const &  properties 

Check if the certificate of the given context is still valid

sslContextThe context to check
propertiesCheck if the context certificate matches the given properties
true if the contexts certificate is valid, false otherwise

Definition at line 902 of file

References assert, Security::NewSessionObject(), and NULL.

Referenced by ConnStateData::getTlsContextFromCache().

Variable Documentation

std::vector< const char * > Ssl::BumpModeStr
Initial value:
= {

Short names for ssl-bump modes

Definition at line 45 of file

Referenced by Ssl::bumpMode(), dump_sslproxy_ssl_bump(), and parse_sslproxy_ssl_bump().

const char * Ssl::GetX509CAAttribute

Definition at line 114 of file support.h.

Referenced by Format::Format::assemble(), Acl::Init(), and sslGetCAAttribute().

const char * Ssl::GetX509Fingerprint

Definition at line 117 of file support.h.

Referenced by Acl::Init().

const char * Ssl::GetX509UserAttribute

Definition at line 111 of file support.h.

Referenced by Format::Format::assemble(), Acl::Init(), and sslGetUserAttribute().






Web Site Translations