1 From 2dcbe5cd4661e90030d1e9586f59d01c9c1e945a Mon Sep 17 00:00:00 2001
2 From: Amos Jeffries <amosjeffries@squid-cache.org>
3 Date: Thu, 23 Jul 2020 17:38:26 +1200
4 Subject: [PATCH 01/10] Update license disclaimer
6 OpenSSL 3.0 uses Apache License v2 which removes the SSLeay distribution restrictions.
9 1 file changed, 2 insertions(+)
11 diff --git a/src/main.cc b/src/main.cc
12 index 4576b761c54..4654df0be0a 100644
15 @@ -672,7 +672,9 @@ mainHandleCommandLineOption(const int optId, const char *optValue)
16 printf("%s\n",SQUID_BUILD_INFO);
18 printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION));
19 +#if OPENSSL_VERSION_MAJOR < 3
20 printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");
23 printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);
26 From 18628a4b53ed6ea1be91b26d201ef8a75e3b39de Mon Sep 17 00:00:00 2001
27 From: Amos Jeffries <amosjeffries@squid-cache.org>
28 Date: Thu, 23 Jul 2020 18:08:15 +1200
29 Subject: [PATCH 02/10] TODO Upgrade API calls verifying loaded DH params file
32 src/security/ServerOptions.cc | 5 +++++
33 1 file changed, 5 insertions(+)
35 diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
36 index 2613c279f2c..dee22869a74 100644
37 --- a/src/security/ServerOptions.cc
38 +++ b/src/security/ServerOptions.cc
39 @@ -364,6 +364,10 @@ Security::ServerOptions::loadDhParams()
43 +#if OPENSSL_VERSION_MAJOR < 3
44 + // DH_check() removed in OpenSSL 3.0.
45 + // TODO: use the EVP API instead, which also works in OpenSSL 1.1.
46 + // But it is not yet clear exactly how that API works for DH.
48 if (DH_check(dhp, &codes) == 0) {
50 @@ -372,6 +376,7 @@ Security::ServerOptions::loadDhParams()
56 parsedDhParams.resetWithoutLocking(dhp);
59 From 8de1d03adf5a001c9bf9784543e345b9a5e47804 Mon Sep 17 00:00:00 2001
60 From: Amos Jeffries <amosjeffries@squid-cache.org>
61 Date: Thu, 23 Jul 2020 18:51:20 +1200
62 Subject: [PATCH 03/10] Declaration of CRYPTO_EX_dup changed again in 3.0
65 src/ssl/support.cc | 6 +++++-
66 1 file changed, 5 insertions(+), 1 deletion(-)
68 diff --git a/src/ssl/support.cc b/src/ssl/support.cc
69 index e33fad6adfc..c9d99e9a27e 100644
70 --- a/src/ssl/support.cc
71 +++ b/src/ssl/support.cc
72 @@ -559,7 +559,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn)
75 // "dup" function for SSL_get_ex_new_index("cert_err_check")
76 -#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
77 +#if OPENSSL_VERSION_MAJOR >= 3
79 +ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
81 +#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
83 ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
86 From c194b7327ffd6f22a141b9031d8fb21f5f96596e Mon Sep 17 00:00:00 2001
87 From: Amos Jeffries <amosjeffries@squid-cache.org>
88 Date: Thu, 23 Jul 2020 21:02:36 +1200
89 Subject: [PATCH 04/10] Refactor Ssl::createSslPrivateKey()
91 * Use the OpenSSL 1.1+ EVP API for generating RSA keys.
93 * Make static since this is only used by the gadgets.cc code.
95 src/ssl/gadgets.cc | 41 +++++++++++++++++------------------------
96 src/ssl/gadgets.h | 8 +-------
97 2 files changed, 18 insertions(+), 31 deletions(-)
99 diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
100 index 36262e29ba0..c1e81c79291 100644
101 --- a/src/ssl/gadgets.cc
102 +++ b/src/ssl/gadgets.cc
105 #include "ssl/gadgets.h"
107 -EVP_PKEY * Ssl::createSslPrivateKey()
109 +CreateRsaPrivateKey()
111 - Security::PrivateKeyPointer pkey(EVP_PKEY_new());
116 - BIGNUM_Pointer bn(BN_new());
120 - if (!BN_set_word(bn.get(), RSA_F4))
123 - Ssl::RSA_Pointer rsa(RSA_new());
124 + Ssl::EVP_PKEY_CTX_Pointer rsa(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr));
129 - int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable?
130 - if (!RSA_generate_key_ex(rsa.get(), num, bn.get(), NULL))
132 + if (EVP_PKEY_keygen_init(rsa.get()) <= 0)
137 + int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable?
138 + if (EVP_PKEY_CTX_set_rsa_keygen_bits(rsa.get(), num) <= 0)
141 - if (!EVP_PKEY_assign_RSA(pkey.get(), (rsa.get())))
144 + Security::PrivateKeyPointer pkey(EVP_PKEY_new());
146 + auto *foo = pkey.get();
147 + if (EVP_PKEY_keygen(rsa.get(), &foo) <= 0)
152 return pkey.release();
155 @@ -553,7 +546,7 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu
156 if (properties.signWithPkey.get())
157 pkey.resetAndLock(properties.signWithPkey.get());
158 else // if not exist generate one
159 - pkey.resetWithoutLocking(Ssl::createSslPrivateKey());
160 + pkey.resetWithoutLocking(CreateRsaPrivateKey());
164 diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h
165 index 0a2535e41e5..b4395198cce 100644
166 --- a/src/ssl/gadgets.h
167 +++ b/src/ssl/gadgets.h
168 @@ -57,7 +57,7 @@ typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>> TXT_DB_Poi
170 typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free>> X509_NAME_Pointer;
172 -typedef std::unique_ptr<RSA, HardFun<void, RSA*, &RSA_free>> RSA_Pointer;
173 +typedef std::unique_ptr<EVP_PKEY_CTX, HardFun<void, EVP_PKEY_CTX*, &EVP_PKEY_CTX_free>> EVP_PKEY_CTX_Pointer;
175 typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free>> X509_REQ_Pointer;
177 @@ -71,12 +71,6 @@ typedef std::unique_ptr<GENERAL_NAME, HardFun<void, GENERAL_NAME*, &GENERAL_NAME
178 typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXTENSION_free>> X509_EXTENSION_Pointer;
180 typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free>> X509_STORE_CTX_Pointer;
182 - \ingroup SslCrtdSslAPI
183 - * Create 1024 bits rsa key.
185 -EVP_PKEY * createSslPrivateKey();
188 \ingroup SslCrtdSslAPI
189 * Write private key and SSL certificate to memory.
191 From b62997320204965a765bab0dc9a5b2d3b5daa13c Mon Sep 17 00:00:00 2001
192 From: Amos Jeffries <squid3@treenet.co.nz>
193 Date: Tue, 10 Nov 2020 12:01:28 +1300
194 Subject: [PATCH 05/10] Tweak RSA key generator
196 ... rely on EVP_PKEY_keygen() allocating the key memory.
198 src/ssl/gadgets.cc | 11 ++++-------
199 1 file changed, 4 insertions(+), 7 deletions(-)
201 diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
202 index c1e81c79291..0754e4b26b4 100644
203 --- a/src/ssl/gadgets.cc
204 +++ b/src/ssl/gadgets.cc
205 @@ -24,14 +24,11 @@ CreateRsaPrivateKey()
209 - Security::PrivateKeyPointer pkey(EVP_PKEY_new());
211 - auto *foo = pkey.get();
212 - if (EVP_PKEY_keygen(rsa.get(), &foo) <= 0)
215 + EVP_PKEY *pkey = nullptr;
216 + if (EVP_PKEY_keygen(rsa.get(), &pkey) <= 0)
219 - return pkey.release();
225 From d38c63c6051d534e0b2eeb1d33e1a2dc380479a9 Mon Sep 17 00:00:00 2001
226 From: Amos Jeffries <amosjeffries@squid-cache.org>
227 Date: Wed, 6 Oct 2021 22:39:49 +1300
228 Subject: [PATCH 06/10] Fix EVP_PKEY_get0_RSA is deprecated
231 src/ssl/gadgets.cc | 6 +++++-
232 1 file changed, 5 insertions(+), 1 deletion(-)
234 diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
235 index 0754e4b26b4..c94d57c5dbb 100644
236 --- a/src/ssl/gadgets.cc
237 +++ b/src/ssl/gadgets.cc
238 @@ -369,7 +369,11 @@ mimicExtensions(Security::CertPointer & cert, Security::CertPointer const &mimic
239 // XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are
240 // internally represented by EVP_PKEY pair, but GnuTLS uses distinct types.
241 const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get()));
242 - const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr;
243 +#if OPENSSL_VERSION_MAJOR < 3
244 + const auto rsaPkey = bool(EVP_PKEY_get0_RSA(certKey.get()));
246 + const auto rsaPkey = EVP_PKEY_is_a(certKey.get(), "RSA");
252 From f3acc382b9b609eaddb44a747a47dbf85cce4023 Mon Sep 17 00:00:00 2001
253 From: Amos Jeffries <amosjeffries@squid-cache.org>
254 Date: Wed, 6 Oct 2021 21:12:25 +1300
255 Subject: [PATCH 07/10] Initial DH conversion to EVP_PKEY
257 3.0 build does not yet complete due to ENGINE and BIGNUM deprecation issues.
259 This conversion relies on OSSL_*() functions added in 3.0. So the
260 old DH loading code is left unchanged.
263 src/security/ServerOptions.cc | 30 +++++++++++++++++++++++++++---
264 src/security/forward.h | 24 +++++++++++++++---------
265 3 files changed, 43 insertions(+), 12 deletions(-)
267 diff --git a/configure.ac b/configure.ac
268 index 534cec994fd..a97d05f55cf 100644
271 @@ -1307,6 +1307,7 @@ if test "x$with_openssl" = "xyes"; then
275 + openssl/decoder.h \
279 diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
280 index dee22869a74..040d6888bec 100644
281 --- a/src/security/ServerOptions.cc
282 +++ b/src/security/ServerOptions.cc
284 #include "compat/openssl.h"
285 #include "ssl/support.h"
287 +#if HAVE_OPENSSL_DECODER_H
288 +#include <openssl/decoder.h>
290 #if HAVE_OPENSSL_ERR_H
291 #include <openssl/err.h>
293 @@ -353,6 +356,7 @@ Security::ServerOptions::loadDhParams()
297 +#if OPENSSL_VERSION_MAJOR < 3
299 if (FILE *in = fopen(dhParamsFile.c_str(), "r")) {
300 dhp = PEM_read_DHparams(in, NULL, NULL, NULL);
301 @@ -364,7 +368,6 @@ Security::ServerOptions::loadDhParams()
305 -#if OPENSSL_VERSION_MAJOR < 3
306 // DH_check() removed in OpenSSL 3.0.
307 // TODO: use the EVP API instead, which also works in OpenSSL 1.1.
308 // But it is not yet clear exactly how that API works for DH.
309 @@ -376,10 +379,31 @@ Security::ServerOptions::loadDhParams()
315 parsedDhParams.resetWithoutLocking(dhp);
317 +#else // OpenSSL 3.0+
318 + EVP_PKEY *pkey = nullptr;
319 + if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) {
320 + if (auto *in = fopen(dhParamsFile.c_str(), "r")) {
321 + if (OSSL_DECODER_from_fp(dctx, in) == 1) {
323 + /* pkey is created with the decoded data from the bio */
325 + parsedDhParams.resetWithoutLocking(pkey);
328 + debugs(83, DBG_IMPORTANT, "WARNING: Failed to decode DH parameters '" << dhParamsFile << "'");
332 + OSSL_DECODER_CTX_free(dctx);
335 + debugs(83, DBG_IMPORTANT, "WARNING: no suitable potential decoders found for DH parameters");
339 +#endif // USE_OPENSSL
343 diff --git a/src/security/forward.h b/src/security/forward.h
344 index 7cf1c5eb5a2..265c07eb021 100644
345 --- a/src/security/forward.h
346 +++ b/src/security/forward.h
347 @@ -93,9 +93,24 @@ typedef std::list<Security::CertPointer> CertList;
348 typedef std::list<Security::CrlPointer> CertRevokeList;
351 +CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
352 +typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer;
354 +typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer;
356 +typedef std::shared_ptr<void> PrivateKeyPointer;
360 +#if OPENSSL_VERSION_MAJOR < 3
361 CtoCpp1(DH_free, DH *);
362 typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
364 +typedef PrivateKeyPointer DhePointer;
367 +typedef void *DhePointer;
369 typedef void *DhePointer;
372 @@ -178,15 +193,6 @@ class PeerConnector;
377 -CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
378 -typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer;
380 -typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer;
382 -typedef std::shared_ptr<void> PrivateKeyPointer;
389 From b2f040b6872314390866e69ee643abe2786f3556 Mon Sep 17 00:00:00 2001
390 From: Amos Jeffries <amosjeffries@squid-cache.org>
391 Date: Wed, 6 Oct 2021 21:55:38 +1300
392 Subject: [PATCH 08/10] Switch to BN_rand()
394 BN_pseudo_rand() has been identical since libssl 1.1.0 and is removed in libssl 3.0
396 src/cf.data.pre | 2 ++
397 src/ssl/gadgets.cc | 2 +-
398 src/ssl/support.cc | 5 ++---
399 3 files changed, 5 insertions(+), 4 deletions(-)
401 diff --git a/src/cf.data.pre b/src/cf.data.pre
402 index be6741ec2ef..ef82d0a435b 100644
403 --- a/src/cf.data.pre
404 +++ b/src/cf.data.pre
405 @@ -3057,6 +3057,8 @@ DEFAULT: none
407 The OpenSSL engine to use. You will need to set this if you
408 would like to use hardware SSL acceleration for example.
410 + Note: OpenSSL 3.0 and newer do not provide Engine support.
413 NAME: sslproxy_session_ttl
414 diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
415 index c94d57c5dbb..626cb81e578 100644
416 --- a/src/ssl/gadgets.cc
417 +++ b/src/ssl/gadgets.cc
418 @@ -46,7 +46,7 @@ static bool setSerialNumber(ASN1_INTEGER *ai, BIGNUM const* serial)
422 - if (!BN_pseudo_rand(bn.get(), 64, 0, 0))
423 + if (!BN_rand(bn.get(), 64, 0, 0))
427 diff --git a/src/ssl/support.cc b/src/ssl/support.cc
428 index c9d99e9a27e..52b94cafdae 100644
429 --- a/src/ssl/support.cc
430 +++ b/src/ssl/support.cc
431 @@ -660,8 +660,8 @@ Ssl::Initialize(void)
433 SQUID_OPENSSL_init_ssl();
435 -#if !defined(OPENSSL_NO_ENGINE)
436 if (::Config.SSL.ssl_engine) {
437 +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_MAJOR < 3
438 ENGINE_load_builtin_engines();
440 if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine)))
441 @@ -671,11 +671,10 @@ Ssl::Initialize(void)
442 const auto ssl_error = ERR_get_error();
443 fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error));
447 - if (::Config.SSL.ssl_engine)
448 fatalf("Your OpenSSL has no SSL engine support\n");
452 const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE;
453 Ssl::DefaultSignHash = EVP_get_digestbyname(defName);
455 From 6923982e708a6bd58379161a6256f37645792edc Mon Sep 17 00:00:00 2001
456 From: Amos Jeffries <amosjeffries@squid-cache.org>
457 Date: Sun, 10 Oct 2021 02:35:10 +1300
458 Subject: [PATCH 09/10] SSL_OP_* macro definitions changed in 3.0
461 src/security/PeerOptions.cc | 50 ++++++++++++++++++-------------------
462 1 file changed, 25 insertions(+), 25 deletions(-)
464 diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
465 index 648f9f2590e..52a154b8c02 100644
466 --- a/src/security/PeerOptions.cc
467 +++ b/src/security/PeerOptions.cc
468 @@ -297,130 +297,130 @@ static struct ssl_option {
472 -#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
473 +#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
475 "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
478 -#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
479 +#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
481 "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
484 -#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
485 +#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
487 "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
490 -#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
491 +#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
493 "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
496 -#if SSL_OP_TLS_D5_BUG
497 +#if defined(SSL_OP_TLS_D5_BUG)
499 "TLS_D5_BUG", SSL_OP_TLS_D5_BUG
502 -#if SSL_OP_TLS_BLOCK_PADDING_BUG
503 +#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
505 "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
508 -#if SSL_OP_TLS_ROLLBACK_BUG
509 +#if defined(SSL_OP_TLS_ROLLBACK_BUG)
511 "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
515 +#if defined(SSL_OP_ALL)
517 "ALL", (long)SSL_OP_ALL
520 -#if SSL_OP_SINGLE_DH_USE
521 +#if defined(SSL_OP_SINGLE_DH_USE)
523 "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
526 -#if SSL_OP_EPHEMERAL_RSA
527 +#if defined(SSL_OP_EPHEMERAL_RSA)
529 "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
532 -#if SSL_OP_PKCS1_CHECK_1
533 +#if defined(SSL_OP_PKCS1_CHECK_1)
535 "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
538 -#if SSL_OP_PKCS1_CHECK_2
539 +#if defined(SSL_OP_PKCS1_CHECK_2)
541 "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
544 -#if SSL_OP_NETSCAPE_CA_DN_BUG
545 +#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
547 "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
550 -#if SSL_OP_NON_EXPORT_FIRST
551 +#if defined(SSL_OP_NON_EXPORT_FIRST)
553 "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
556 -#if SSL_OP_CIPHER_SERVER_PREFERENCE
557 +#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
559 "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
562 -#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
563 +#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
565 "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
569 +#if defined(SSL_OP_NO_SSLv3)
571 "NO_SSLv3", SSL_OP_NO_SSLv3
575 +#if defined(SSL_OP_NO_TLSv1)
577 "NO_TLSv1", SSL_OP_NO_TLSv1
582 -#if SSL_OP_NO_TLSv1_1
583 +#if defined(SSL_OP_NO_TLSv1_1)
585 "NO_TLSv1_1", SSL_OP_NO_TLSv1_1
590 -#if SSL_OP_NO_TLSv1_2
591 +#if defined(SSL_OP_NO_TLSv1_2)
593 "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
598 -#if SSL_OP_NO_TLSv1_3
599 +#if defined(SSL_OP_NO_TLSv1_3)
601 "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
606 -#if SSL_OP_NO_COMPRESSION
607 +#if defined(SSL_OP_NO_COMPRESSION)
609 "No_Compression", SSL_OP_NO_COMPRESSION
612 -#if SSL_OP_NO_TICKET
613 +#if defined(SSL_OP_NO_TICKET)
615 "NO_TICKET", SSL_OP_NO_TICKET
618 -#if SSL_OP_SINGLE_ECDH_USE
619 +#if defined(SSL_OP_SINGLE_ECDH_USE)
621 "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
623 @@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions()
628 +#if defined(SSL_OP_NO_SSLv2)
629 // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
630 op = op | SSL_OP_NO_SSLv2;
633 From 0097ab042f705596c317eb69ffa7271bc676ff66 Mon Sep 17 00:00:00 2001
634 From: Amos Jeffries <amosjeffries@squid-cache.org>
635 Date: Mon, 11 Oct 2021 06:01:10 +1300
636 Subject: [PATCH 10/10] Update ECDH key settings
639 src/security/ServerOptions.cc | 19 +++++++++++++++++--
640 1 file changed, 17 insertions(+), 2 deletions(-)
642 diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
643 index 040d6888bec..9594350e776 100644
644 --- a/src/security/ServerOptions.cc
645 +++ b/src/security/ServerOptions.cc
646 @@ -383,7 +383,12 @@ Security::ServerOptions::loadDhParams()
648 #else // OpenSSL 3.0+
649 EVP_PKEY *pkey = nullptr;
650 - if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, "DH", OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) {
651 + const char *type = "DH";
652 + if (!eecdhCurve.isEmpty())
654 + // XXX: use the eecdhCurve name when generating the EVP_KEY object. or at least verify it matches the loaded params.
656 + if (auto *dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", nullptr, type, OSSL_KEYMGMT_SELECT_ALL, nullptr, nullptr)) {
657 if (auto *in = fopen(dhParamsFile.c_str(), "r")) {
658 if (OSSL_DECODER_from_fp(dctx, in) == 1) {
660 @@ -482,6 +487,9 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
661 debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << ".");
663 #if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
665 + // OpenSSL 3.0+ generates the key in loadDhParams()
666 +#if OPENSSL_VERSION_MAJOR < 3
667 int nid = OBJ_sn2nid(eecdhCurve.c_str());
669 debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'");
670 @@ -489,6 +497,9 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
673 auto ecdh = EC_KEY_new_by_curve_name(nid);
675 + auto ecdh = parsedDhParams.get();
678 const auto x = ERR_get_error();
679 debugs(83, DBG_CRITICAL, "ERROR: Unable to configure Ephemeral ECDH: " << Security::ErrorString(x));
680 @@ -499,7 +510,11 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
681 const auto x = ERR_get_error();
682 debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(x));
684 +#if OPENSSL_VERSION_MAJOR < 3
691 debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." <<
692 @@ -508,8 +523,8 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
696 - // set DH parameters into the server context
698 + // set DH parameters into the server context
699 if (parsedDhParams) {
700 SSL_CTX_set_tmp_dh(ctx.get(), parsedDhParams.get());