Ssl Namespace Reference


class  IcapPeerConnector
 A simple PeerConnector for Secure ICAP services. No SslBump capabilities. More...
class  Lock
 maintains an exclusive blocking file-based lock More...
class  Locker
 an exception-safe way to obtain and release a lock More...
class  CertificateDb
class  Bio
 BIO source and sink node, handling socket I/O and monitoring SSL state. More...
class  ClientBio
class  ServerBio
class  CertValidationRequest
class  CertValidationResponse
class  CertValidationMsg
class  Config
class  CertificateStorageAction
class  GlobalContextStorage
 Class for storing/manipulating LocalContextStorage per local listening address/port. More...
class  CrtdMessage
class  ErrorDetail
class  ErrorDetailFile
 manages error detail templates More...
class  ErrorDetailEntry
class  ErrorDetailsList
class  ErrorDetailsManager
class  CertificateProperties
class  GeneratorRequestor
 Initiator of an Ssl::Helper query. More...
class  GeneratorRequest
 A pending Ssl::Helper request, combining the original and collapsed queries. More...
class  Helper
class  CertValidationHelper
class  PeekingPeerConnector
 A PeerConnector for HTTP origin servers. Capable of SslBumping. More...
class  ServerBump


typedef LruMap< SBuf,
typedef std::unique_ptr
< STACK_OF(X509),
sk_X509_free_wrapper > 
typedef std::unique_ptr
< BIGNUM, HardFun< void,
BIGNUM *,&BN_free > > 
typedef std::unique_ptr< BIO,
HardFun< void, BIO
*,&BIO_vfree > > 
typedef std::unique_ptr
< ASN1_INTEGER, HardFun< void,
*,&ASN1_INTEGER_free > > 
typedef std::unique_ptr
*,&ASN1_OCTET_STRING_free > > 
typedef std::unique_ptr
< TXT_DB, HardFun< void,
TXT_DB *,&TXT_DB_free > > 
typedef std::unique_ptr
< X509_NAME, HardFun< void,
X509_NAME *,&X509_NAME_free > > 
typedef std::unique_ptr< RSA,
HardFun< void, RSA *,&RSA_free > > 
typedef std::unique_ptr
< X509_REQ, HardFun< void,
X509_REQ *,&X509_REQ_free > > 
typedef std::unique_ptr
*,&AUTHORITY_KEYID_free > > 
typedef std::unique_ptr
sk_GENERAL_NAME_free_wrapper > 
typedef std::unique_ptr
< GENERAL_NAME, HardFun< void,
*,&GENERAL_NAME_free > > 
typedef std::unique_ptr
< X509_EXTENSION, HardFun
< void, X509_EXTENSION
*,&X509_EXTENSION_free > > 
typedef std::unordered_map
< SBuf, GeneratorRequest * > 
 Ssl::Helper query:GeneratorRequest map. More...
typedef RefCount
< CertValidationResponse
typedef char const * GETX509ATTRIBUTE (X509 *, const char *)
typedef std::multimap< SBuf,
X509 * > 
 certificates indexed by issuer name More...


enum  CertSignAlgorithm {
  algSignTrusted = 0,
enum  CertAdaptAlgorithm {
  algSetValidAfter = 0,
enum  BumpMode {
  bumpNone = 0,
enum  BumpStep {


bool ParseErrorString (const char *name, Security::Errors &)
Security::ErrorCode GetErrorCode (const char *name)
 The Security::ErrorCode code of the error described by "name". More...
const char * GetErrorName (Security::ErrorCode value)
 The string representation of the TLS error "value". More...
const char * GetErrorDescr (Security::ErrorCode value)
 A short description of the TLS error "value". More...
bool ErrorIsOptional (const char *name)
void errorDetailInitialize ()
void errorDetailClean ()
 sk_dtor_wrapper (sk_X509, STACK_OF(X509)*, X509_free)
EVP_PKEY * createSslPrivateKey ()
bool writeCertAndPrivateKeyToMemory (Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey, std::string &bufferToWrite)
bool appendCertToMemory (Security::CertPointer const &cert, std::string &bufferToWrite)
bool readCertAndPrivateKeyFromMemory (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, char const *bufferToRead)
bool readCertFromMemory (Security::CertPointer &cert, char const *bufferToRead)
void ReadPrivateKeyFromFile (char const *keyFilename, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback)
bool OpenCertsFileForReading (BIO_Pointer &bio, const char *filename)
bool ReadX509Certificate (BIO_Pointer &bio, Security::CertPointer &cert)
bool ReadPrivateKey (BIO_Pointer &bio, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback)
bool OpenCertsFileForWriting (BIO_Pointer &bio, const char *filename)
bool WriteX509Certificate (BIO_Pointer &bio, const Security::CertPointer &cert)
bool WritePrivateKey (BIO_Pointer &bio, const Security::PrivateKeyPointer &pkey)
const char * certSignAlgorithm (int sg)
CertSignAlgorithm certSignAlgorithmId (const char *sg)
const char * sslCertAdaptAlgoritm (int alg)
std::string & OnDiskCertificateDbKey (const CertificateProperties &)
bool generateSslCertificate (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, CertificateProperties const &properties)
bool sslDateIsInTheFuture (char const *date)
bool certificateMatchesProperties (X509 *peer_cert, CertificateProperties const &properties)
const char * CommonHostName (X509 *x509)
const char * getOrganization (X509 *x509)
bool CertificatesCmp (const Security::CertPointer &cert1, const Security::CertPointer &cert2)
const ASN1_BIT_STRING * X509_get_signature (const Security::CertPointer &)
static void HandleGeneratorReply (void *data, const ::Helper::Reply &reply)
 receives helper response More...
int AskPasswordCb (char *buf, int size, int rwflag, void *userdata)
void Initialize ()
bool InitServerContext (Security::ContextPointer &, AnyP::PortCfg &)
 initialize a TLS server context with OpenSSL specific settings More...
bool InitClientContext (Security::ContextPointer &, Security::PeerOptions &, long flags)
 initialize a TLS client context with OpenSSL specific settings More...
void SetupVerifyCallback (Security::ContextPointer &)
 set the certificate verify callback for a context More...
void MaybeSetupRsaCallback (Security::ContextPointer &)
 if required, setup callback for generating ephemeral RSA keys More...
const char * bumpMode (int bm)
bool loadCerts (const char *certsFile, Ssl::CertsIndexedList &list)
bool loadSquidUntrusted (const char *path)
void unloadSquidUntrusted ()
void SSL_add_untrusted_cert (SSL *ssl, X509 *cert)
const char * uriOfIssuerIfMissing (X509 *cert, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
void missingChainCertificatesUrls (std::queue< SBuf > &URIs, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
bool generateUntrustedCert (Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
Security::ContextPointer GenerateSslContext (CertificateProperties const &, Security::ServerOptions &, bool trusted)
bool verifySslCertificate (Security::ContextPointer &, CertificateProperties const &)
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory (const char *data, Security::ServerOptions &, bool trusted)
Security::ContextPointer createSSLContext (Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
 Create SSL context and apply ssl certificate and private key to it. More...
void chainCertificatesToSSLContext (Security::ContextPointer &, Security::ServerOptions &)
void configureUnconfiguredSslContext (Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
bool configureSSL (SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
bool configureSSLUsingPkeyAndCertFromMemory (SSL *ssl, const char *data, AnyP::PortCfg &port)
void useSquidUntrusted (SSL_CTX *sslContext)
int matchX509CommonNames (X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
bool checkX509ServerValidity (X509 *cert, const char *server)
int asn1timeToString (ASN1_TIME *tm, char *buf, int len)
void setClientSNI (SSL *ssl, const char *fqdn)
void InRamCertificateDbKey (const Ssl::CertificateProperties &certProperties, SBuf &key)
BIO * BIO_new_SBuf (SBuf *buf)


Config TheConfig
GlobalContextStorage TheGlobalContextStorage
 Global cache for store all SSL server certificates. More...
const char * CertSignAlgorithmStr []
const char * CertAdaptAlgorithmStr []
GETX509ATTRIBUTE GetX509UserAttribute
GETX509ATTRIBUTE GetX509Fingerprint
const EVP_MD * DefaultSignHash = NULL
std::vector< const char * > BumpModeStr

Typedef Documentation

typedef std::unique_ptr<ASN1_INTEGER, HardFun<void, ASN1_INTEGER*, &ASN1_INTEGER_free> > Ssl::ASN1_INT_Pointer

Definition at line 52 of file gadgets.h.

typedef std::unique_ptr<ASN1_OCTET_STRING, HardFun<void, ASN1_OCTET_STRING*, &ASN1_OCTET_STRING_free> > Ssl::ASN1_OCTET_STRING_Pointer

Definition at line 54 of file gadgets.h.

typedef std::unique_ptr<AUTHORITY_KEYID, HardFun<void, AUTHORITY_KEYID*, &AUTHORITY_KEYID_free> > Ssl::AUTHORITY_KEYID_Pointer

Definition at line 64 of file gadgets.h.

typedef std::unique_ptr<BIGNUM, HardFun<void, BIGNUM*, &BN_free> > Ssl::BIGNUM_Pointer

Definition at line 48 of file gadgets.h.

typedef std::unique_ptr<BIO, HardFun<void, BIO*, &BIO_vfree> > Ssl::BIO_Pointer

Definition at line 50 of file gadgets.h.

typedef std::multimap< SBuf, X509 * > Ssl::CertsIndexedList

Definition at line 151 of file support.h.

typedef std::unique_ptr<GENERAL_NAME, HardFun<void, GENERAL_NAME*, &GENERAL_NAME_free> > Ssl::GENERAL_NAME_Pointer

Definition at line 69 of file gadgets.h.

typedef std::unique_ptr<STACK_OF(GENERAL_NAME), sk_GENERAL_NAME_free_wrapper> Ssl::GENERAL_NAME_STACK_Pointer

Definition at line 67 of file gadgets.h.

typedef std::unordered_map<SBuf, GeneratorRequest*> Ssl::GeneratorRequests

Definition at line 52 of file

typedef std::unique_ptr<RSA, HardFun<void, RSA*, &RSA_free> > Ssl::RSA_Pointer

Definition at line 60 of file gadgets.h.

typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free> > Ssl::TXT_DB_Pointer

Definition at line 56 of file gadgets.h.

typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXTENSION_free> > Ssl::X509_EXTENSION_Pointer

Definition at line 71 of file gadgets.h.

typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free> > Ssl::X509_NAME_Pointer

Definition at line 58 of file gadgets.h.

typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free> > Ssl::X509_REQ_Pointer

Definition at line 62 of file gadgets.h.

typedef std::unique_ptr<STACK_OF(X509), sk_X509_free_wrapper> Ssl::X509_STACK_Pointer

Definition at line 46 of file gadgets.h.

Enumeration Type Documentation


Definition at line 133 of file support.h.

Function Documentation

int Ssl::AskPasswordCb ( char *  buf,
int  size,
int  rwflag,
void *  userdata 

callback for receiving password to access password secured PEM files XXX: Requires SSL_CTX_set_default_passwd_cb_userdata()!

Definition at line 63 of file

References len.

Referenced by Security::KeyData::loadX509PrivateKeyFromFile(), and ssl_ask_password().

void Ssl::errorDetailClean ( )

Definition at line 21 of file

References Ssl::ErrorDetailsManager::Shutdown().

Referenced by errorClean().

void Ssl::errorDetailInitialize ( )

Definition at line 16 of file

References Ssl::ErrorDetailsManager::GetInstance().

Referenced by errorInitialize().

bool Ssl::ErrorIsOptional ( const char *  name)
true if the TLS error is optional and may not be supported by current squid version

Definition at line 405 of file

References i, NULL, and OptionalSslErrors.

Referenced by Ssl::ErrorDetailFile::parse().

Security::ErrorCode Ssl::GetErrorCode ( const char *  name)
const char * Ssl::GetErrorDescr ( Security::ErrorCode  value)

Definition at line 415 of file

Referenced by ssl_verify_cb().

static void Ssl::HandleGeneratorReply ( void *  data,
const ::Helper::Reply reply 
bool Ssl::InitServerContext ( Security::ContextPointer ctx,
AnyP::PortCfg port 

Definition at line 522 of file

void Ssl::MaybeSetupRsaCallback ( Security::ContextPointer ctx)

Definition at line 170 of file

References debugs.

Referenced by InitClientContext(), and Security::ServerOptions::updateContextConfig().

void Ssl::missingChainCertificatesUrls ( std::queue< SBuf > &  URIs,
Security::CertList const &  serverCertificates,
const Security::ContextPointer context 

Fill URIs queue with the uris of missing certificates from serverCertificate chain if this information provided by Authority Info Access.

Definition at line 1080 of file

References i, and uriOfIssuerIfMissing().

Referenced by Security::PeerConnector::checkForMissingCertificates().

bool Ssl::ParseErrorString ( const char *  name,
Security::Errors errors 

Converts user-friendly error "name" into an Security::ErrorCode and adds it to the provided container (using emplace). This function can handle numeric error numbers as well as names.

Definition at line 356 of file

References assert, fatalf(), GetErrorCode(), i, loadSslErrorShortcutsMap(), NULL, SQUID_SSL_ERROR_MAX, SQUID_SSL_ERROR_MIN, TheSslErrorShortcuts, and xisdigit.

Referenced by ACLSslErrorData::parse().

void Ssl::SetupVerifyCallback ( Security::ContextPointer ctx)

Definition at line 393 of file

References ssl_verify_cb().

Referenced by InitClientContext(), and Security::ServerOptions::updateContextClientCa().

Ssl::sk_dtor_wrapper ( sk_X509  ,
STACK_OF(X509)*  ,

std::unique_ptr typedefs for common SSL objects

Ssl::sk_dtor_wrapper ( sk_GENERAL_NAME  ,
void Ssl::SSL_add_untrusted_cert ( SSL *  ssl,
X509 *  cert 

Add the certificate cert to ssl object untrusted certificates. Squid uses an attached to SSL object list of untrusted certificates, with certificates which can be used to complete incomplete chains sent by the SSL server.

Definition at line 1092 of file

References Here, ssl_ex_index_ssl_untrusted_chain, and STACK_OF().

Referenced by Security::PeerConnector::certDownloadingDone().

const char * Ssl::uriOfIssuerIfMissing ( X509 *  cert,
Security::CertList const &  serverCertificates,
const Security::ContextPointer context 

Searches in serverCertificates list for the cert issuer and if not found and Authority Info Access of cert provides a URI return it.

Definition at line 1059 of file

References findCertIssuer(), findCertIssuerFast(), hasAuthorityInfoAccessCaIssuers(), issuerExistInCaDb(), and SquidUntrustedCerts.

Referenced by Security::PeerConnector::certDownloadingDone(), and missingChainCertificatesUrls().

const ASN1_BIT_STRING * Ssl::X509_get_signature ( const Security::CertPointer cert)

wrapper for OpenSSL X509_get0_signature() which takes care of portability issues with older OpenSSL versions

Definition at line 939 of file

References Security::LockingPointer< T, UnLocker, Locker >::get(), and X509_get0_signature().

Referenced by InRamCertificateDbKey(), and printX509Signature().

Variable Documentation

const EVP_MD * Ssl::DefaultSignHash = NULL

Definition at line 43 of file

Referenced by ConnStateData::buildSslCertGenerationParams(), and Initialize().






Web Site Translations