mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 15:47:01 +02:00
Code Issues Projects Releases Wiki Activity

DOC: configuration: add a warning for @system-ca on bind

Browse Source 
Add a warning on @system-ca on the bind line so people don't use it this
way.
This commit is contained in:
William Lallemand 2022-05-26 00:18:46 +02:00
parent a45403f965
commit 1639d6c02b
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/configuration.txt
View File

@ -13872,6 +13872,13 @@ ca-file <cafile>
CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and
.crl" available in the directory, files starting with a dot are ignored.
Warning: The "@system-ca" parameter could be used in place of the cafile
in order to use the trusted CAs of your system, like its done with the server
directive. But you mustn't use it unless you know what you are doing.
Configuring it this way basically mean that the bind will accept any client
certificate generated from one of the CA present on your system, which is
extremely unsecure.
ca-ignore-err [all|<errorID>,...]
This setting is only available when support for OpenSSL was built in.
Sets a comma separated list of errorIDs to ignore during verify at depth > 0.