squid4 tls options

www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc

@@ -1135,12 +1135,15 @@ function squid_resync_general() {
 		$srv_cert = lookup_ca($settings["dca"]);
 		if ($srv_cert != false) {
 			if (base64_decode($srv_cert['prv'])) {
+				if (file_exists(SQUID_LOCALBASE . "/libexec/squid/security_file_certgen")) {
+					$squid4 = true;
+				}
 				// check if ssl_db was initilized by Squid
 				if (!file_exists(SQUID_SSL_DB . "/serial")) {
 					if (is_dir(SQUID_SSL_DB)) {
 						mwexec("/bin/rm -rf " . SQUID_SSL_DB);
 					}
-					if (file_exists(SQUID_LOCALBASE . "/libexec/squid/security_file_certgen")) {
+					if ($squid4) {
 						mwexec(SQUID_LOCALBASE . "/libexec/squid/security_file_certgen -c -s " . SQUID_SSL_DB . " -M 4MB");
 					} else {
 						mwexec(SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -c -s " . SQUID_SSL_DB);
@@ -1182,21 +1185,27 @@ function squid_resync_general() {
 				file_put_contents($crt_pk, unixnewlines(base64_decode($srv_cert['prv']) . "\n" . base64_decode($srv_cert['crt'])));
 				$sslcrtd_children = ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
 				$ssl_interception .= "ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=" . ($sslcrtd_children*2) . "MB cert={$crt_pk} capath={$crt_capath} cipher={$sslproxy_cipher} {$sslproxy_dhparams} options={$sslproxy_options}\n";
-				if (file_exists(SQUID_LOCALBASE . "/libexec/squid/security_file_certgen")) {
+				if ($squid4) {
 					$interception_checks = "sslcrtd_program " . SQUID_LOCALBASE . "/libexec/squid/security_file_certgen -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n";
+					$interception_checks .= "tls_outgoing_options capath={$crt_capath}\n";
+					$interception_checks .= "tls_outgoing_options options={$sslproxy_options}\n";
+					$interception_checks .= "tls_outgoing_options cipher={$sslproxy_cipher}\n";
+					if (preg_match("/sslproxy_flags/", $settings["interception_checks"])) {
+						$interception_checks .= "tls_outgoing_options flags=DONT_VERIFY_PEER\n";
+					}
 				} else {
 					$interception_checks = "sslcrtd_program " . SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n";
+					$interception_checks .= "sslproxy_capath {$crt_capath}\n";
+					$interception_checks .= "sslproxy_options {$sslproxy_options}\n";
+					$interception_checks .= "sslproxy_cipher {$sslproxy_cipher}\n";
+					if (preg_match("/sslproxy_flags/", $settings["interception_checks"])) {
+						$interception_checks .= "sslproxy_flags DONT_VERIFY_PEER\n";
+					}
 				}
 				$interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
-				$interception_checks .= "sslproxy_capath {$crt_capath}\n";
-				$interception_checks .= "sslproxy_options {$sslproxy_options}\n";
-				$interception_checks .= "sslproxy_cipher {$sslproxy_cipher}\n";
 				if (preg_match("/sslproxy_cert_error/", $settings["interception_checks"])) {
 					$interception_checks .= "sslproxy_cert_error allow all\n";
 				}
-				if (preg_match("/sslproxy_flags/", $settings["interception_checks"])) {
-					$interception_checks .= "sslproxy_flags DONT_VERIFY_PEER\n";
-				}
 				if ($settings["interception_adapt"] != "") {
 					foreach (explode(",", $settings["interception_adapt"]) as $adapt) {
 						$interception_checks .= "sslproxy_cert_adapt {$adapt} all\n";

www/pfSense-pkg-squid/files/usr/local/pkg/squid_reverse.inc

@@ -56,6 +56,10 @@ function squid_resync_reverse() {
 
 	$conf = "# Reverse Proxy settings\n";
 
+	if (file_exists(SQUID_LOCALBASE . "/libexec/squid/security_file_certgen")) {
+		$squid4 = true;
+	}
+
 	if (isset($settings['reverse_ssl_cert']) && $settings['reverse_ssl_cert'] != "none") {
 		$svr_cert = lookup_cert($settings['reverse_ssl_cert']);
 		if ($svr_cert != false) {
@@ -113,7 +117,11 @@ function squid_resync_reverse() {
 	$https_defsite = (empty($settings['reverse_https_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_https_defsite']);
 
 	// Ignore Internal Certificate Validation
-	$sslflags_cache_peer = ($settings['reverse_ignore_ssl_valid'] == "on" ? "sslflags=DONT_VERIFY_PEER" : "");
+	if ($squid4) {
+		$sslflags_cache_peer = ($settings['reverse_ignore_ssl_valid'] == "on" ? "tls-flags=DONT_VERIFY_PEER" : "");
+	} else {
+		$sslflags_cache_peer = ($settings['reverse_ignore_ssl_valid'] == "on" ? "sslflags=DONT_VERIFY_PEER" : "");
+	}
 
 	// Reverse Proxy HTTPS security settings
 	$options = "NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE";
@@ -196,14 +204,20 @@ function squid_resync_reverse() {
 		}
 	}
 
+	if ($squid4) {
+		$ssl = 'tls';
+	} else {
+		$ssl = 'ssl';
+	}
+
 	// peers
 	if ($settings['reverse_owa'] == 'on') {
 		if (!empty($settings['reverse_owa_ip'])) {
 			$reverse_owa_ip = explode(";", ($settings['reverse_owa_ip']));
 			$casnr = 0;
 			foreach ($reverse_owa_ip as $reowaip) {
 				$casnr++;
-				$conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl {$sslflags_cache_peer} front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n";
+				$conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on {$ssl} {$sslflags_cache_peer} front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n";
 				$conf .= "cache_peer {$reowaip} parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_{$casnr}_pfs\n";
 			}
 		}
@@ -216,7 +230,7 @@ function squid_resync_reverse() {
 				$conf_peer = "#{$rp['description']}\n";
 				$conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin ";
 				if ($rp['protocol'] == 'HTTPS') {
-					$conf_peer .= "ssl {$sslflags_cache_peer} front-end-https=auto ";
+					$conf_peer .= "{$ssl} {$sslflags_cache_peer} front-end-https=auto ";
 				}
 				$conf_peer .= "name=rvp_{$rp['name']}\n\n";