--------------------- PatchSet 2877 Date: 2001/08/26 20:13:19 Author: hno Branch: hno-emara Tag: (none) Log: Merged in the "ssl" branch for more detailed SSL options Members: src/cache_cf.c:1.33.4.1->1.33.4.2 src/cf.data.pre:1.32.4.1->1.32.4.2 src/client_side.c:1.34.4.1->1.34.4.2 src/ssl_support.c:1.3.16.1->1.3.16.2 src/ssl_support.h:1.3->1.3.16.1 src/structs.h:1.38.6.1->1.38.6.2 Index: squid/src/cache_cf.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cache_cf.c,v retrieving revision 1.33.4.1 retrieving revision 1.33.4.2 diff -u -r1.33.4.1 -r1.33.4.2 --- squid/src/cache_cf.c 26 Aug 2001 20:02:40 -0000 1.33.4.1 +++ squid/src/cache_cf.c 26 Aug 2001 20:13:19 -0000 1.33.4.2 @@ -1,6 +1,6 @@ /* - * $Id: cache_cf.c,v 1.33.4.1 2001/08/26 20:02:40 hno Exp $ + * $Id: cache_cf.c,v 1.33.4.2 2001/08/26 20:13:19 hno Exp $ * * DEBUG: section 3 Configuration File Parsing * AUTHOR: Harvest Derived @@ -2424,6 +2424,11 @@ } else if (strncmp(token, "key=", 4) == 0) { safe_free(s->key); s->key = xstrdup(token + 4); + } else if (strncmp(token, "version=", 8) == 0) { + s->version = atoi(token+8); + } else if (strncmp(token, "options=", 8) == 0) { + safe_free(s->options); + s->options = xstrdup(token + 8); } else { parse_http_port_option(&s->http, token); } Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.32.4.1 retrieving revision 1.32.4.2 diff -u -r1.32.4.1 -r1.32.4.2 --- squid/src/cf.data.pre 26 Aug 2001 20:02:40 -0000 1.32.4.1 +++ squid/src/cf.data.pre 26 Aug 2001 20:13:20 -0000 1.32.4.2 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.32.4.1 2001/08/26 20:02:40 hno Exp $ +# $Id: cf.data.pre,v 1.32.4.2 2001/08/26 20:13:20 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -126,24 +126,23 @@ url_rewrite_program) protocol= Protocol to reconstruct accelerated requests with. Defaults to https. + version= The version of SSL/TLS supported + 1 automatic (default) + 2 SSLv2 only + 3 SSLv3 only + 4 TLSv1 only + cipher= Colon separated list of supported ciphers + options= Varions SSL engine options. The most important being: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + See src/ssl_support.c or OpenSSL documentation for + a more complete list of SSL engine options. + [the other options from http_port are also available but does not make much sense for use in https_port] DOC_END -NAME: ssl_version -IFDEF: USE_SSL -TYPE: int -DEFAULT: 1 -LOC: Config.SSL.version -DOC_START - Determines the version of SSL/TLS used. - 1: SSLv2/SSLv3 - 2: SSLv2 only - 3: SSLv3 only - 4: TLSv1 -DOC_END - - NAME: icp_port udp_port TYPE: ushort DEFAULT: 3130 Index: squid/src/client_side.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/client_side.c,v retrieving revision 1.34.4.1 retrieving revision 1.34.4.2 diff -u -r1.34.4.1 -r1.34.4.2 --- squid/src/client_side.c 26 Aug 2001 20:02:41 -0000 1.34.4.1 +++ squid/src/client_side.c 26 Aug 2001 20:13:20 -0000 1.34.4.2 @@ -1,6 +1,6 @@ /* - * $Id: client_side.c,v 1.34.4.1 2001/08/26 20:02:41 hno Exp $ + * $Id: client_side.c,v 1.34.4.2 2001/08/26 20:13:20 hno Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -3826,7 +3826,7 @@ https_port_list *s; int fd; for (s = Config.Sockaddr.https; s; s = (https_port_list *) s->http.next) { - s->sslContext = sslLoadCert(s->cert, s->key); + s->sslContext = sslCreateContext(s->cert, s->key, s->version, s->cipher, s->options); if (!s->sslContext) continue; enter_suid(); @@ -3849,7 +3849,6 @@ HttpSockets[NHttpSockets++] = fd; } } - #endif void Index: squid/src/ssl_support.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/ssl_support.c,v retrieving revision 1.3.16.1 retrieving revision 1.3.16.2 diff -u -r1.3.16.1 -r1.3.16.2 --- squid/src/ssl_support.c 26 Aug 2001 20:02:41 -0000 1.3.16.1 +++ squid/src/ssl_support.c 26 Aug 2001 20:13:20 -0000 1.3.16.2 @@ -88,8 +88,97 @@ return ok; } +static struct ssl_option { + char *name; + long value; +} ssl_options[] = { + {"MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG}, + {"NETSCAPE_CHALLENGE_BUG", SSL_OP_NETSCAPE_CHALLENGE_BUG}, + {"NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG}, + {"SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG}, + {"MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER}, + {"MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING}, + {"SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG}, + {"TLS_D5_BUG", SSL_OP_TLS_D5_BUG}, + {"TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG}, + {"TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG}, + {"SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE}, + {"EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA}, + {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1}, + {"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2}, + {"NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG}, + {"NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST}, + {"NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG}, + {"ALL", SSL_OP_ALL}, + {"NO_SSLv2", SSL_OP_NO_SSLv2}, + {"NO_SSLv3", SSL_OP_NO_SSLv3}, + {"NO_TLSv1", SSL_OP_NO_TLSv1}, + {"", 0}, + {NULL, 0} +}; + +static long ssl_parse_options(const char *options) +{ + long op = SSL_OP_ALL; + char *tmp; + char *option; + + if (!options) + goto no_options; + + tmp = xstrdup(options); + option = strtok(tmp, ":,"); + while(option) { + struct ssl_option *opt = NULL, *opttmp; + long value = 0; + enum { MODE_ADD, MODE_REMOVE } mode; + switch (*option) { + case '!': + case '-': + mode = MODE_REMOVE; + option++; + break; + case '+': + mode = MODE_ADD; + option++; + break; + default: + mode = MODE_ADD; + break; + } + for (opttmp = ssl_options; opttmp->name; opttmp++) { + if (strcmp(opttmp->name, option) == 0) { + opt = opttmp; + break; + } + } + if (opt) + value = opt->value; + else if (strncmp(option, "0x", 2) == 0) { + /* Special case.. hex specification */ + value = strtol(option+2, NULL, 16); + } else { + fatalf("Unknown SSL option '%s'", option); + value = 0; /* Keep GCC happy */ + } + switch(mode) { + case MODE_ADD: + op |= value; + break; + case MODE_REMOVE: + op &= ~value; + break; + } + option = strtok(NULL, ":,"); + } + + safe_free(tmp); +no_options: + return op; +} + SSL_CTX * -sslLoadCert(const char *certfile, const char *keyfile) +sslCreateContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options) { int ssl_error; SSL_METHOD *method; @@ -106,7 +195,7 @@ certfile = keyfile; debug(81, 1) ("Initialising SSL.\n"); - switch (Config.SSL.version) { + switch (version) { case 2: debug(81, 5) ("Using SSLv2.\n"); method = SSLv2_server_method(); @@ -132,7 +221,16 @@ fatalf("Failed to allocate SSL context: %s\n", ERR_error_string(ssl_error, NULL)); } - SSL_CTX_set_options(sslContext, SSL_OP_ALL); + SSL_CTX_set_options(sslContext, ssl_parse_options(options)); + + if (cipher) { + debug(81, 5) ("Using chiper suite %s.\n", cipher); + if (!SSL_CTX_set_cipher_list(sslContext, cipher)) { + ssl_error = ERR_get_error(); + fatalf("Failed to set SSL cipher suite: %s\n", + ERR_error_string(ssl_error, NULL)); + } + } debug(81, 1) ("Using certificate in %s\n", certfile); if (!SSL_CTX_use_certificate_file(sslContext, certfile, SSL_FILETYPE_PEM)) { Index: squid/src/ssl_support.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/ssl_support.h,v retrieving revision 1.3 retrieving revision 1.3.16.1 diff -u -r1.3 -r1.3.16.1 --- squid/src/ssl_support.h 4 May 2001 13:39:12 -0000 1.3 +++ squid/src/ssl_support.h 26 Aug 2001 20:13:20 -0000 1.3.16.1 @@ -43,7 +43,7 @@ #include #endif -SSL_CTX *sslLoadCert(const char *certfile, const char *keyfile); +SSL_CTX *sslCreateContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options); int ssl_read_method(int, char *, int); int ssl_write_method(int, const char *, int); Index: squid/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/structs.h,v retrieving revision 1.38.6.1 retrieving revision 1.38.6.2 diff -u -r1.38.6.1 -r1.38.6.2 --- squid/src/structs.h 26 Aug 2001 20:02:41 -0000 1.38.6.1 +++ squid/src/structs.h 26 Aug 2001 20:13:20 -0000 1.38.6.2 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.38.6.1 2001/08/26 20:02:41 hno Exp $ + * $Id: structs.h,v 1.38.6.2 2001/08/26 20:13:20 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -328,6 +328,9 @@ http_port_list http; /* must be first */ char *cert; char *key; + int version; + char *cipher; + char *options; SSL_CTX *sslContext; }; @@ -667,13 +670,6 @@ int rebuild_chunk_percentage; } digest; #endif -#if USE_SSL - struct { - char *certificate; - char *key; - int version; - } SSL; -#endif wordlist *ext_methods; struct { int high_rptm;