This patch seeks to add support for TLSv1.1 and TLSv1.2 options and
methods alongside TLSv1.0 when OpenSSL v1.0.1+ is being built against.
It also updates the documentation for sslproxy_version which was not
mentioning what the supported version codes were.
Future work:
* make version config option(s) accept a set of named versions and
convert to codes internally.
* redesign how version and options are handled. Admin should be able
to just list the TLSv* wanted and Squid figure out the appropriate
options from there.
Amos
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2012-03-08 04:23:06 +0000
+++ src/cf.data.pre 2012-03-15 10:05:23 +0000
@@ -1402,7 +1402,9 @@
1 automatic (default)
2 SSLv2 only
3 SSLv3 only
- 4 TLSv1 only
+ 4 TLSv1.0 only
+ 5 TLSv1.1 only
+ 6 TLSv1.2 only
cipher= Colon separated list of supported ciphers.
NOTE: some ciphers such as EDH ciphers depend on
@@ -1412,9 +1414,11 @@
options= Various SSL implementation options. The most important
being:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1.0
+ NO_TLSv1_1 Disallow the use of TLSv1.1
+ NO_TLSv1_2 Disallow the use of TLSv1.2
SINGLE_DH_USE Always create a new key when using
temporary/ephemeral DH key exchanges
ALL Enable various bug workarounds
@@ -1866,6 +1870,15 @@
TYPE: int
DOC_START
SSL version level to use when proxying https:// URLs
+
+ The versions of SSL/TLS supported:
+
+ 1 automatic (default)
+ 2 SSLv2 only
+ 3 SSLv3 only
+ 4 TLSv1.0 only
+ 5 TLSv1.1 only
+ 6 TLSv1.2 only
DOC_END
NAME: sslproxy_options
@@ -1878,9 +1891,11 @@
The most important being:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1.0
+ NO_TLSv1_1 Disallow the use of TLSv1.1
+ NO_TLSv1_2 Disallow the use of TLSv1.2
SINGLE_DH_USE
Always create a new key when using temporary/ephemeral
DH key exchanges
@@ -2331,21 +2346,25 @@
reference a combined file containing both the
certificate and the key.
- sslversion=1|2|3|4
+ sslversion=1|2|3|4|5|6
The SSL version to use when connecting to this peer
1 = automatic (default)
2 = SSL v2 only
3 = SSL v3 only
- 4 = TLS v1 only
+ 4 = TLS v1.0 only
+ 5 = TLS v1.1 only
+ 6 = TLS v1.2 only
sslcipher=... The list of valid SSL ciphers to use when connecting
to this peer.
ssloptions=... Specify various SSL implementation options:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1.0
+ NO_TLSv1_1 Disallow the use of TLSv1.1
+ NO_TLSv1_2 Disallow the use of TLSv1.2
SINGLE_DH_USE
Always create a new key when using
temporary/ephemeral DH key exchanges
=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc 2012-02-20 18:07:29 +0000
+++ src/ssl/support.cc 2012-03-15 10:00:28 +0000
@@ -391,6 +391,16 @@
"NO_TLSv1", SSL_OP_NO_TLSv1
},
#endif
+#if SSL_OP_NO_TLSv1_1
+ {
+ "NO_TLSv1_1", SSL_OP_NO_TLSv1_1
+ },
+#endif
+#if SSL_OP_NO_TLSv1_2
+ {
+ "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
+ },
+#endif
{
"", 0
},
@@ -680,6 +690,26 @@
method = TLSv1_server_method();
break;
+ case 5:
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which
sub-version yet.
+ debugs(83, 5, "Using TLSv1.1.");
+ method = TLSv1_1_server_method();
+#else
+ debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy.");
+ return NULL;
+#endif
+ break;
+
+ case 6:
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which
sub-version yet.
+ debugs(83, 5, "Using TLSv1.2");
+ method = TLSv1_2_server_method();
+#else
+ debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy.");
+ return NULL;
+#endif
+ break;
+
case 1:
default:
@@ -879,6 +909,26 @@
method = TLSv1_client_method();
break;
+ case 5:
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which
sub-version yet.
+ debugs(83, 5, "Using TLSv1.1.");
+ method = TLSv1_1_client_method();
+#else
+ debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy.");
+ return NULL;
+#endif
+ break;
+
+ case 6:
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which
sub-version yet.
+ debugs(83, 5, "Using TLSv1.2");
+ method = TLSv1_2_client_method();
+#else
+ debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy.");
+ return NULL;
+#endif
+ break;
+
case 1:
default:
