Collaboration diagram for Server-Side SSL API:

Modules

 Server-Side SSL Internals
 

Typedefs

typedef char const * Ssl::GETX509ATTRIBUTE(X509 *, const char *)
 

Enumerations

enum  Ssl::BumpMode {
  Ssl::bumpNone = 0,
  Ssl::bumpClientFirst,
  Ssl::bumpServerFirst,
  Ssl::bumpPeek,
  Ssl::bumpStare,
  Ssl::bumpBump,
  Ssl::bumpSplice,
  Ssl::bumpTerminate,
  Ssl::bumpEnd
}
 

Functions

const char * Ssl::CommonHostName (X509 *x509)
 
const char * Ssl::getOrganization (X509 *x509)
 
bool Ssl::CertificatesCmp (const Security::CertPointer &cert1, const Security::CertPointer &cert2)
 
const char * sslGetUserEmail (SSL *ssl)
 
const char * sslGetUserAttribute (SSL *ssl, const char *attribute_name)
 
const char * sslGetCAAttribute (SSL *ssl, const char *attribute_name)
 
SBuf sslGetUserCertificatePEM (SSL *ssl)
 
SBuf sslGetUserCertificateChainPEM (SSL *ssl)
 
const char * Ssl::bumpMode (int bm)
 
bool Ssl::generateUntrustedCert (Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
 
bool Ssl::loadCerts (const char *certsFile, Ssl::CertsIndexedList &list)
 
bool Ssl::loadSquidUntrusted (const char *path)
 
void Ssl::unloadSquidUntrusted ()
 
Security::ContextPointer Ssl::GenerateSslContext (CertificateProperties const &, Security::ServerOptions &, bool trusted)
 
bool Ssl::verifySslCertificate (const Security::ContextPointer &, CertificateProperties const &)
 
Security::ContextPointer Ssl::GenerateSslContextUsingPkeyAndCertFromMemory (const char *data, Security::ServerOptions &, bool trusted)
 
Security::ContextPointer Ssl::createSSLContext (Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
 Create SSL context and apply ssl certificate and private key to it. More...
 
void Ssl::chainCertificatesToSSLContext (Security::ContextPointer &, Security::ServerOptions &)
 
void Ssl::configureUnconfiguredSslContext (Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
 
bool Ssl::configureSSL (SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
 
bool Ssl::configureSSLUsingPkeyAndCertFromMemory (SSL *ssl, const char *data, AnyP::PortCfg &port)
 
void Ssl::useSquidUntrusted (SSL_CTX *sslContext)
 
int Ssl::matchX509CommonNames (X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
 
bool Ssl::checkX509ServerValidity (X509 *cert, const char *server)
 
int Ssl::asn1timeToString (ASN1_TIME *tm, char *buf, int len)
 
void Ssl::setClientSNI (SSL *ssl, const char *fqdn)
 
void Ssl::InRamCertificateDbKey (const Ssl::CertificateProperties &certProperties, SBuf &key)
 
BIO * Ssl::BIO_new_SBuf (SBuf *buf)
 

Variables

GETX509ATTRIBUTE Ssl::GetX509UserAttribute
 
GETX509ATTRIBUTE Ssl::GetX509CAAttribute
 
GETX509PEM Ssl::GetX509PEM
 
GETX509ATTRIBUTE Ssl::GetX509Fingerprint
 
std::vector< const char * > Ssl::BumpModeStr
 

Detailed Description

Typedef Documentation

◆ GETX509ATTRIBUTE

typedef char const* Ssl::GETX509ATTRIBUTE(X509 *, const char *)

Definition at line 105 of file support.h.

Enumeration Type Documentation

◆ BumpMode

Supported ssl-bump modes

Enumerator
bumpNone 
bumpClientFirst 
bumpServerFirst 
bumpPeek 
bumpStare 
bumpBump 
bumpSplice 
bumpTerminate 
bumpEnd 

Definition at line 126 of file support.h.

Function Documentation

◆ asn1timeToString()

int Ssl::asn1timeToString ( ASN1_TIME *  tm,
char *  buf,
int  len 
)

Convert a given ASN1_TIME to a string form.

Parameters
tmthe time in ASN1_TIME form
bufthe buffer to write the output
lenwrite at most len bytes
Returns
The number of bytes written

Definition at line 181 of file support.cc.

Referenced by Security::ErrorDetail::notafter(), Security::ErrorDetail::notbefore(), and STUB_RETVAL().

◆ BIO_new_SBuf()

BIO * Ssl::BIO_new_SBuf ( SBuf buf)

Creates and returns an OpenSSL BIO object for writing to buf (or throws). TODO: Add support for reading from buf.

Definition at line 1467 of file support.cc.

References bio_sbuf_create(), bio_sbuf_ctrl(), bio_sbuf_destroy(), bio_sbuf_puts(), bio_sbuf_write(), BIO_set_data(), BIO_set_init(), Must, and NULL.

Referenced by Ssl::InRamCertificateDbKey().

◆ bumpMode()

◆ CertificatesCmp()

bool Ssl::CertificatesCmp ( const Security::CertPointer cert1,
const Security::CertPointer cert2 
)
Returns
whether both certificates exist and are the same (e.g., have identical ASN.1 images)

Definition at line 916 of file gadgets.cc.

References Security::LockingPointer< T, UnLocker, Locker >::get(), and NULL.

Referenced by Ssl::CertificateDb::pure_find().

◆ chainCertificatesToSSLContext()

◆ checkX509ServerValidity()

bool Ssl::checkX509ServerValidity ( X509 *  cert,
const char *  server 
)

Check if the certificate is valid for a server

Parameters
certThe X509 cert to check.
serverThe server name.
Returns
true if the certificate is valid for the server or false otherwise.

Definition at line 254 of file support.cc.

References check_domain(), Ssl::matchX509CommonNames(), and server.

Referenced by ACLServerNameStrategy::match(), ConnStateData::serveDelayedError(), ssl_verify_cb(), and STUB_RETVAL().

◆ CommonHostName()

const char * Ssl::CommonHostName ( X509 *  x509)

Returns CN from the certificate, suitable for use as a host name. Uses static memory to temporary store the extracted name.

Definition at line 905 of file gadgets.cc.

References getSubjectEntry().

Referenced by Ssl::certificateMatchesProperties(), Ssl::generateUntrustedCert(), Ssl::PeekingPeerConnector::noteNegotiationDone(), and Ssl::PeekingPeerConnector::serverCertificateVerified().

◆ configureSSL()

bool Ssl::configureSSL ( SSL *  ssl,
CertificateProperties const &  properties,
AnyP::PortCfg port 
)

Generates a certificate and a private key using provided properties and set it to SSL object.

Definition at line 994 of file support.cc.

References Ssl::generateSslCertificate(), and Security::LockingPointer< T, UnLocker, Locker >::get().

Referenced by ConnStateData::getSslContextStart().

◆ configureSSLUsingPkeyAndCertFromMemory()

bool Ssl::configureSSLUsingPkeyAndCertFromMemory ( SSL *  ssl,
const char *  data,
AnyP::PortCfg port 
)

Read private key and certificate from memory and set it to SSL object using their.

Definition at line 1017 of file support.cc.

References Security::LockingPointer< T, UnLocker, Locker >::get(), and Ssl::readCertAndPrivateKeyFromMemory().

Referenced by ConnStateData::sslCrtdHandleReply().

◆ configureUnconfiguredSslContext()

void Ssl::configureUnconfiguredSslContext ( Security::ContextPointer ctx,
Ssl::CertSignAlgorithm  signAlgorithm,
AnyP::PortCfg port 
)

Configure a previously unconfigured SSL context object.

Definition at line 987 of file support.cc.

References Ssl::algSignTrusted, Ssl::chainCertificatesToSSLContext(), and port.

Referenced by ConnStateData::getSslContextStart(), and ConnStateData::sslCrtdHandleReply().

◆ createSSLContext()

Security::ContextPointer Ssl::createSSLContext ( Security::CertPointer x509,
Security::PrivateKeyPointer &  pkey,
Security::ServerOptions options 
)

◆ GenerateSslContext()

Security::ContextPointer Ssl::GenerateSslContext ( CertificateProperties const &  properties,
Security::ServerOptions options,
bool  trusted 
)

Decide on the kind of certificate and generate a CA- or self-signed one

Definition at line 948 of file support.cc.

References Ssl::chainCertificatesToSSLContext(), Ssl::createSSLContext(), and Ssl::generateSslCertificate().

Referenced by ConnStateData::getSslContextStart(), and STUB_RETVAL().

◆ GenerateSslContextUsingPkeyAndCertFromMemory()

Security::ContextPointer Ssl::GenerateSslContextUsingPkeyAndCertFromMemory ( const char *  data,
Security::ServerOptions options,
bool  trusted 
)

Read private key and certificate from memory and generate SSL context using their.

Definition at line 934 of file support.cc.

References Ssl::chainCertificatesToSSLContext(), Ssl::createSSLContext(), and Ssl::readCertAndPrivateKeyFromMemory().

Referenced by ConnStateData::sslCrtdHandleReply(), and STUB_RETVAL().

◆ generateUntrustedCert()

◆ getOrganization()

const char * Ssl::getOrganization ( X509 *  x509)

Returns Organization from the certificate. Uses static memory to temporary store the extracted name.

Definition at line 910 of file gadgets.cc.

References getSubjectEntry().

Referenced by Ssl::generateUntrustedCert().

◆ InRamCertificateDbKey()

◆ loadCerts()

bool Ssl::loadCerts ( const char *  certsFile,
Ssl::CertsIndexedList list 
)

Load PEM-encoded certificates from the given file.

Definition at line 1112 of file support.cc.

References DBG_IMPORTANT, debugs, and NULL.

Referenced by Ssl::loadSquidUntrusted().

◆ loadSquidUntrusted()

bool Ssl::loadSquidUntrusted ( const char *  path)

Load PEM-encoded certificates to the squid untrusteds certificates internal DB from the given file.

Definition at line 1351 of file support.cc.

References Ssl::loadCerts(), and SquidUntrustedCerts.

Referenced by configDoConfigure().

◆ matchX509CommonNames()

int Ssl::matchX509CommonNames ( X509 *  peer_cert,
void *  check_data,
int(*)(void *check_data, ASN1_STRING *cn_data)  check_func 
)

Iterates over the X509 common and alternate names and to see if matches with given data using the check_func.

Parameters
peer_certThe X509 cert to check
check_dataThe data with which the X509 CNs compared
check_funcThe function used to match X509 CNs. The CN data passed as ASN1_STRING data
Returns
1 if any of the certificate CN matches, 0 if none matches.

Definition at line 195 of file support.cc.

References assert, NULL, and STACK_OF().

Referenced by Ssl::checkX509ServerValidity(), Security::ErrorDetail::cn(), ACLServerNameStrategy::match(), and STUB_RETVAL().

◆ setClientSNI()

void Ssl::setClientSNI ( SSL *  ssl,
const char *  fqdn 
)

Sets the hostname for the Server Name Indication (SNI) TLS extension if supported by the used openssl toolkit.

Definition at line 1062 of file support.cc.

References debugs, Security::ErrorString(), and Ip::Address::isAnyAddr().

Referenced by Ssl::IcapPeerConnector::initialize(), Security::BlindPeerConnector::initialize(), Ssl::PeekingPeerConnector::initialize(), and STUB_RETVAL().

◆ sslGetCAAttribute()

const char* sslGetCAAttribute ( SSL *  ssl,
const char *  attribute_name 
)

Definition at line 863 of file support.cc.

References Ssl::GetX509CAAttribute, and NULL.

Referenced by Format::Format::assemble().

◆ sslGetUserAttribute()

const char* sslGetUserAttribute ( SSL *  ssl,
const char *  attribute_name 
)

Definition at line 850 of file support.cc.

References Ssl::GetX509UserAttribute, and NULL.

Referenced by Format::Format::assemble(), and sslGetUserEmail().

◆ sslGetUserCertificateChainPEM()

SBuf sslGetUserCertificateChainPEM ( SSL *  ssl)

Definition at line 894 of file support.cc.

References assert, and sslGetUserCertificatePEM().

◆ sslGetUserCertificatePEM()

SBuf sslGetUserCertificatePEM ( SSL *  ssl)

Definition at line 883 of file support.cc.

References assert, and Ssl::GetX509PEM.

Referenced by Format::Format::assemble(), and sslGetUserCertificateChainPEM().

◆ sslGetUserEmail()

const char* sslGetUserEmail ( SSL *  ssl)

◆ unloadSquidUntrusted()

void Ssl::unloadSquidUntrusted ( )

Removes all certificates from squid untrusteds certificates internal DB and frees all memory

Definition at line 1357 of file support.cc.

References SquidUntrustedCerts.

Referenced by configFreeMemory().

◆ useSquidUntrusted()

void Ssl::useSquidUntrusted ( SSL_CTX *  sslContext)

Configures sslContext to use squid untrusted certificates internal list to complete certificate chains when verifies SSL servers certificates.

Definition at line 1345 of file support.cc.

References NULL, and untrustedToStoreCtx_cb().

Referenced by configDoConfigure().

◆ verifySslCertificate()

bool Ssl::verifySslCertificate ( const Security::ContextPointer ctx,
CertificateProperties const &   
)

Check if the certificate of the given context is still valid

Parameters
sslContextThe context to check
propertiesCheck if the context certificate matches the given properties
Returns
true if the contexts certificate is valid, false otherwise

Definition at line 1037 of file support.cc.

References assert, Security::NewSessionObject(), NULL, X509_getm_notAfter, and X509_getm_notBefore.

Referenced by ConnStateData::getTlsContextFromCache(), and STUB_RETVAL().

Variable Documentation

◆ BumpModeStr

std::vector< const char * > Ssl::BumpModeStr
extern
Initial value:
= {
"none",
"client-first",
"server-first",
"peek",
"stare",
"bump",
"splice",
"terminate"
}

Short names for ssl-bump modes

Definition at line 46 of file support.cc.

Referenced by Ssl::bumpMode(), parse_sslproxy_ssl_bump(), and STUB_RETVAL().

◆ GetX509CAAttribute

const char * Ssl::GetX509CAAttribute

Definition at line 112 of file support.h.

Referenced by Format::Format::assemble(), Acl::Init(), and sslGetCAAttribute().

◆ GetX509Fingerprint

const char * Ssl::GetX509Fingerprint

Definition at line 118 of file support.h.

Referenced by Acl::Init().

◆ GetX509PEM

SBuf Ssl::GetX509PEM

Definition at line 115 of file support.h.

Referenced by Format::Format::assemble(), sslGetUserCertificatePEM(), and STUB_RETVAL().

◆ GetX509UserAttribute

const char * Ssl::GetX509UserAttribute

Definition at line 109 of file support.h.

Referenced by Format::Format::assemble(), Acl::Init(), and sslGetUserAttribute().

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors