TLS squid.conf settings for a listening port. More...

#include <ServerOptions.h>

Inheritance diagram for Security::ServerOptions:
Collaboration diagram for Security::ServerOptions:

Public Types

typedef std::unique_ptr< STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper > X509_NAME_STACK_Pointer

Public Member Functions

 sk_dtor_wrapper (sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free)
 ServerOptions ()
 ServerOptions (const ServerOptions &o)
ServerOptionsoperator= (const ServerOptions &)
 ServerOptions (ServerOptions &&o)
ServerOptionsoperator= (ServerOptions &&o)
 ~ServerOptions () override=default
void parse (const char *) override
 parse a TLS squid.conf option More...
void clear () override
 reset the configuration details to default More...
Security::ContextPointer createBlankContext () const override
 generate an unset security context object More...
void dumpCfg (std::ostream &, const char *pfx) const override
 output squid.conf syntax with 'pfx' prefix on parameters for the stored settings More...
void initServerContexts (AnyP::PortCfg &)
bool updateContextConfig (Security::ContextPointer &)
 update the given TLS security context using squid.conf settings More...
void updateContextEecdh (Security::ContextPointer &)
 update the context with DH, EDH, EECDH settings More...
void updateContextClientCa (Security::ContextPointer &)
 update the context with CA details used to verify client certificates More...
void updateContextSessionId (Security::ContextPointer &)
 update the context with a configured session ID (if any) More...
void syncCaFiles ()
 sync the various sources of CA files to be loaded More...
void parseOptions ()
 parse and verify the [tls-]options= string in sslOptions More...
Security::ContextPointer createClientContext (bool setOptions)
 generate a security client-context from these configured options More...
void updateTlsVersionLimits ()
 sync the context options with tls-min-version=N configuration More...
void updateContextOptions (Security::ContextPointer &)
 Setup the library specific 'options=' parameters for the given context. More...
void updateContextNpn (Security::ContextPointer &)
 setup the NPN extension details for the given context More...
void updateContextCa (Security::ContextPointer &)
 setup the CA details for the given context More...
void updateContextCrl (Security::ContextPointer &)
 setup the CRL details for the given context More...
void updateContextTrust (Security::ContextPointer &)
 decide which CAs to trust More...
void updateSessionOptions (Security::SessionPointer &)
 setup any library-specific options that can be set for the given session More...

Public Attributes

Security::ContextPointer staticContext
 TLS context to use for HTTPS accelerator or static SSL-Bump. More...
SBuf staticContextSessionId
 "session id context" for staticContext More...
bool generateHostCertificates = true
 dynamically make host cert More...
Security::KeyData signingCa
 x509 certificate and key for signing generated certificates More...
Security::KeyData untrustedSigningCa
 x509 certificate and key for signing untrusted generated certificates More...
size_t dynamicCertMemCacheSize = 4*1024*1024
 max size of generated certificates memory cache (4 MB default) More...
SBuf sslOptions
 library-specific options string More...
SBuf caDir
 path of directory containing a set of trusted Certificate Authorities More...
SBuf crlFile
 path of file containing Certificate Revoke List More...
SBuf sslCipher
SBuf sslFlags
 flags defining what TLS operations Squid performs More...
SBuf sslDomain
SBuf tlsMinVersion
 version label for minimum TLS version to permit More...
ParsedPortFlags parsedFlags = 0
 parsed value of sslFlags More...
std::list< Security::KeyDatacerts
 details from the cert= and file= config parameters More...
std::list< SBufcaFiles
 paths of files containing trusted Certificate Authority More...
Security::CertRevokeList parsedCrl
 CRL to use when verifying the remote end certificate. More...
bool encryptTransport = false
 whether transport encryption (TLS/SSL) is to be used on connections to the peer More...

Protected Member Functions

template<typename T >
Security::ContextPointer convertContextFromRawPtr (T ctx) const

Protected Attributes

int sslVersion = 0
struct Security::PeerOptions::flags_ flags

Private Member Functions

bool loadClientCaFile ()
void loadDhParams ()
bool createStaticServerContext (AnyP::PortCfg &)
void createSigningContexts (const AnyP::PortCfg &)
ParsedPortFlags parseFlags ()
void loadCrlFile ()
void loadKeysFile ()

Private Attributes

SBuf clientCaFile
 name of file to load client CAs from More...
X509_NAME_STACK_Pointer clientCaStack
 CA certificate(s) to use when verifying client certificates. More...
SBuf dh
 Diffi-Helman cipher config. More...
SBuf dhParamsFile
 Diffi-Helman ciphers parameter file. More...
SBuf eecdhCurve
 Elliptic curve for ephemeral EC-based DH key exchanges. More...
Security::DhePointer parsedDhParams
 DH parameters for temporary/ephemeral DH key exchanges. More...
SBuf tlsMinOptions
Security::ParsedOptions parsedOptions
bool optsReparse = true
 whether parsedOptions content needs to be regenerated More...

Detailed Description

Definition at line 25 of file ServerOptions.h.

Member Typedef Documentation

◆ X509_NAME_STACK_Pointer

typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> Security::ServerOptions::X509_NAME_STACK_Pointer

Definition at line 30 of file ServerOptions.h.

Constructor & Destructor Documentation

◆ ServerOptions() [1/3]

Security::ServerOptions::ServerOptions ( )

◆ ServerOptions() [2/3]

Security::ServerOptions::ServerOptions ( const ServerOptions o)

Definition at line 38 of file ServerOptions.h.

◆ ServerOptions() [3/3]

Security::ServerOptions::ServerOptions ( ServerOptions &&  o)

Definition at line 40 of file ServerOptions.h.

References operator=().

◆ ~ServerOptions()

Security::ServerOptions::~ServerOptions ( )

Member Function Documentation

◆ clear()

void Security::ServerOptions::clear ( )

Reimplemented from Security::PeerOptions.

Definition at line 46 of file ServerOptions.h.

References ServerOptions().

◆ convertContextFromRawPtr()

template<typename T >
Security::ContextPointer Security::PeerOptions::convertContextFromRawPtr ( ctx) const

Definition at line 111 of file PeerOptions.h.

References assert, and debugs.

◆ createBlankContext()

Security::ContextPointer Security::ServerOptions::createBlankContext ( ) const

Reimplemented from Security::PeerOptions.

Definition at line 162 of file

References DBG_CRITICAL, debugs, Security::ErrorString(), Ssl::Initialize(), and TLS_server_method.

Referenced by Ssl::createSSLContext().

◆ createClientContext()

Security::ContextPointer Security::PeerOptions::createClientContext ( bool  setOptions)

Definition at line 271 of file

References Ssl::InitClientContext().

Referenced by configDoConfigure().

◆ createSigningContexts()

void Security::ServerOptions::createSigningContexts ( const AnyP::PortCfg port)

initialize contexts for signing dynamic TLS certificates (if needed) the resulting keys are stored in signingCa and untrustedSigningCa

Definition at line 284 of file

References DBG_CRITICAL, DBG_IMPORTANT, debugs, fatalf(), Ssl::generateUntrustedCert(), port, and AnyP::ProtocolType_str.

◆ createStaticServerContext()

bool Security::ServerOptions::createStaticServerContext ( AnyP::PortCfg )

generate a security server-context from these configured options the resulting context is stored in staticContext

true if a context could be created

Definition at line 213 of file

References SBuf::append(), SBuf::appendf(), DBG_CRITICAL, DBG_IMPORTANT, debugs, error(), Security::ErrorString(), and keys.

◆ dumpCfg()

void Security::ServerOptions::dumpCfg ( std::ostream &  os,
const char *  pfx 
) const

Reimplemented from Security::PeerOptions.

Definition at line 139 of file

References Security::PeerOptions::dumpCfg().

◆ initServerContexts()

void Security::ServerOptions::initServerContexts ( AnyP::PortCfg port)

initialize all server contexts as-needed and load PEM files. if none can be created this may do nothing.

Definition at line 192 of file

References fatalf(), port, and AnyP::ProtocolType_str.

◆ loadClientCaFile()

bool Security::ServerOptions::loadClientCaFile ( )

load clientca= file (if any) into memory.

Return values
trueclientca is not set, or loaded successfully
falseunable to load the file, or not using OpenSSL

Definition at line 337 of file

References DBG_CRITICAL, and debugs.

◆ loadCrlFile()

void Security::PeerOptions::loadCrlFile ( )

Load a CRLs list stored in the file whose /path/name is in crlFile replaces any CRL loaded previously

Definition at line 613 of file

References debugs.

◆ loadDhParams()

void Security::ServerOptions::loadDhParams ( )

◆ loadKeysFile()

void Security::PeerOptions::loadKeysFile ( )

◆ operator=() [1/2]

◆ operator=() [2/2]

ServerOptions & Security::ServerOptions::operator= ( ServerOptions &&  o)

Definition at line 41 of file ServerOptions.h.

References operator=().

◆ parse()

void Security::ServerOptions::parse ( const char *  token)

◆ parseFlags()

◆ parseOptions()

void Security::PeerOptions::parseOptions ( )

Pre-parse TLS options= parameter to be applied when the TLS objects created. Options must not used in the case of peek or stare bump mode.

Definition at line 442 of file

References CharacterSet::ALPHA, SBuf::append(), Parser::Tokenizer::atEnd(), SBuf::c_str(), SBuf::cmp(), DBG_IMPORTANT, DBG_PARSE_NOTE, debugs, CharacterSet::DIGIT, Security::ErrorString(), fatalf(), Parser::Tokenizer::int64(), SBuf::isEmpty(), ssl_option::name, SQUIDSBUFPH, SQUIDSBUFPRINT, and ssl_options.

Referenced by Security::PeerOptions::PeerOptions(), and parse_securePeerOptions().

◆ sk_dtor_wrapper()

Security::ServerOptions::sk_dtor_wrapper ( sk_X509_NAME  ,
STACK_OF(X509_NAME) *  ,

◆ syncCaFiles()

void Security::ServerOptions::syncCaFiles ( )

Definition at line 322 of file

◆ updateContextCa()

void Security::PeerOptions::updateContextCa ( Security::ContextPointer ctx)

Definition at line 691 of file

References DBG_IMPORTANT, debugs, Security::ErrorString(), and loadSystemTrustedCa().

◆ updateContextClientCa()

void Security::ServerOptions::updateContextClientCa ( Security::ContextPointer ctx)

◆ updateContextConfig()

◆ updateContextCrl()

void Security::PeerOptions::updateContextCrl ( Security::ContextPointer ctx)

Definition at line 727 of file


◆ updateContextEecdh()

void Security::ServerOptions::updateContextEecdh ( Security::ContextPointer ctx)

◆ updateContextNpn()

void Security::PeerOptions::updateContextNpn ( Security::ContextPointer ctx)

Definition at line 659 of file

◆ updateContextOptions()

void Security::PeerOptions::updateContextOptions ( Security::ContextPointer ctx)

Definition at line 634 of file

◆ updateContextSessionId()

void Security::ServerOptions::updateContextSessionId ( Security::ContextPointer ctx)

Definition at line 574 of file

◆ updateContextTrust()

void Security::PeerOptions::updateContextTrust ( Security::ContextPointer ctx)

Definition at line 754 of file

References assert, DBG_IMPORTANT, debugs, and Security::ErrorString().

◆ updateSessionOptions()

void Security::PeerOptions::updateSessionOptions ( Security::SessionPointer s)

◆ updateTlsVersionLimits()

void Security::PeerOptions::updateTlsVersionLimits ( )

Definition at line 153 of file

References SBuf::append(), SBuf::chop(), DBG_PARSE_NOTE, and debugs.

Member Data Documentation

◆ caDir

SBuf Security::PeerOptions::caDir

Definition at line 81 of file PeerOptions.h.

◆ caFiles

std::list<SBuf> Security::PeerOptions::caFiles

Definition at line 106 of file PeerOptions.h.

◆ certs

std::list<Security::KeyData> Security::PeerOptions::certs

Definition at line 105 of file PeerOptions.h.

Referenced by Ssl::InitClientContext().

◆ clientCaFile

SBuf Security::ServerOptions::clientCaFile

Definition at line 107 of file ServerOptions.h.

Referenced by operator=().

◆ clientCaStack

X509_NAME_STACK_Pointer Security::ServerOptions::clientCaStack

Definition at line 110 of file ServerOptions.h.

Referenced by operator=().

◆ crlFile

SBuf Security::PeerOptions::crlFile

Definition at line 82 of file PeerOptions.h.

◆ dh

SBuf Security::ServerOptions::dh

Definition at line 115 of file ServerOptions.h.

Referenced by operator=().

◆ dhParamsFile

SBuf Security::ServerOptions::dhParamsFile

Definition at line 116 of file ServerOptions.h.

Referenced by operator=().

◆ dynamicCertMemCacheSize

size_t Security::ServerOptions::dynamicCertMemCacheSize = 4*1024*1024

Definition at line 91 of file ServerOptions.h.

Referenced by operator=().

◆ eecdhCurve

SBuf Security::ServerOptions::eecdhCurve

Definition at line 117 of file ServerOptions.h.

Referenced by operator=().

◆ encryptTransport

◆ flags

struct Security::PeerOptions::flags_ Security::PeerOptions::flags

Referenced by ServerOptions().

◆ generateHostCertificates

bool Security::ServerOptions::generateHostCertificates = true

Definition at line 75 of file ServerOptions.h.

Referenced by operator=().

◆ optsReparse

bool Security::PeerOptions::optsReparse = true

Definition at line 100 of file PeerOptions.h.

◆ parsedCrl

Security::CertRevokeList Security::PeerOptions::parsedCrl

Definition at line 107 of file PeerOptions.h.

◆ parsedDhParams

Security::DhePointer Security::ServerOptions::parsedDhParams

Definition at line 119 of file ServerOptions.h.

Referenced by operator=().

◆ parsedFlags

ParsedPortFlags Security::PeerOptions::parsedFlags = 0

Definition at line 103 of file PeerOptions.h.

◆ parsedOptions

Security::ParsedOptions Security::PeerOptions::parsedOptions

Parsed value of sslOptions + tlsMinOptions settings. Set optsReparse=true to have this re-parsed before next use.

Definition at line 97 of file PeerOptions.h.

◆ signingCa

Security::KeyData Security::ServerOptions::signingCa

Definition at line 87 of file ServerOptions.h.

Referenced by Ssl::chainCertificatesToSSLContext(), and operator=().

◆ sslCipher

SBuf Security::PeerOptions::sslCipher

Definition at line 84 of file PeerOptions.h.

Referenced by Ssl::InitClientContext().

◆ sslDomain

SBuf Security::PeerOptions::sslDomain

Definition at line 86 of file PeerOptions.h.

Referenced by Security::BlindPeerConnector::initialize().

◆ sslFlags

SBuf Security::PeerOptions::sslFlags

Definition at line 85 of file PeerOptions.h.

◆ sslOptions

SBuf Security::PeerOptions::sslOptions

Definition at line 80 of file PeerOptions.h.

◆ sslVersion

int Security::PeerOptions::sslVersion = 0

Definition at line 130 of file PeerOptions.h.

◆ staticContext

Security::ContextPointer Security::ServerOptions::staticContext

Definition at line 71 of file ServerOptions.h.

◆ staticContextSessionId

SBuf Security::ServerOptions::staticContextSessionId

Definition at line 72 of file ServerOptions.h.

Referenced by operator=().

◆ tlsMinOptions

SBuf Security::PeerOptions::tlsMinOptions

Library-specific options string generated from tlsMinVersion. Call updateTlsVersionLimits() to regenerate this string.

Definition at line 93 of file PeerOptions.h.

◆ tlsMinVersion

SBuf Security::PeerOptions::tlsMinVersion

Definition at line 88 of file PeerOptions.h.

◆ untrustedSigningCa

Security::KeyData Security::ServerOptions::untrustedSigningCa

Definition at line 88 of file ServerOptions.h.

Referenced by operator=().

The documentation for this class was generated from the following files:






Web Site Translations