mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-29 23:01:03 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: add "no-ca-names" parameter for bind

Browse Source 
This option prevent to send CA names in server hello message when
ca-file is used. This parameter is also available in "crt-list".
This commit is contained in:
Emmanuel Hocdet 2017-07-28 15:01:05 +02:00 committed by Willy Tarreau
parent 46d5b0872a
commit 174dfe55a0
3 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/configuration.txt
View File

@ -10418,9 +10418,9 @@ crt-list <file>
<crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...] <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
sslbindconf support "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", sslbindconf support "npn", "alpn", "verify", "ca-file", "no-ca-names",
"curves", "ciphers" configuration. With BoringSSL "ssl-min-ver" and crl-file", "ecdhe", "curves", "ciphers" configuration. With BoringSSL
"ssl-max-ver" are also supported. "ssl-min-ver" and "ssl-max-ver" are also supported.
It override the configuration set in bind line for the certificate. It override the configuration set in bind line for the certificate.
Wildcards are supported in the SNI filter. Negative filter are also supported, Wildcards are supported in the SNI filter. Negative filter are also supported,
@ -10601,6 +10601,10 @@ nice <nice>
it may make sense to use a positive value for an SMTP socket and a negative it may make sense to use a positive value for an SMTP socket and a negative
one for an RDP socket. one for an RDP socket.
no-ca-names
This setting is only available when support for OpenSSL was built in. It
prevents from send CA names in server hello message when ca-file is used.
no-sslv3 no-sslv3
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instantiated from the listener when disables support for SSLv3 on any sockets instantiated from the listener when

3
include/types/listener.h
View File

@ -118,7 +118,8 @@ struct ssl_bind_conf {
char *alpn_str; /* ALPN protocol string */ char *alpn_str; /* ALPN protocol string */
int alpn_len; /* ALPN protocol string length */ int alpn_len; /* ALPN protocol string length */
#endif #endif
int verify; /* verify method (set of SSL_VERIFY_* flags) */ int verify:3; /* verify method (set of SSL_VERIFY_* flags) */
int no_ca_names:1; /* do not send ca names to clients (ca_file related) */
char *ca_file; /* CAfile to use on verify */ char *ca_file; /* CAfile to use on verify */
char *crl_file; /* CRLfile to use on verify */ char *crl_file; /* CRLfile to use on verify */
char *ciphers; /* cipher suite to use if non-null */ char *ciphers; /* cipher suite to use if non-null */

17
src/ssl_sock.c
View File

@ -3703,9 +3703,11 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line); curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++; cfgerr++;
} }
/* set CA names fo client cert request, function returns void */ if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) {
/* set CA names for client cert request, function returns void */
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file)); SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
} }
}
else { else {
Alert("Proxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n", Alert("Proxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line); curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
@ -7045,6 +7047,17 @@ static int bind_parse_verify(char **args, int cur_arg, struct proxy *px, struct
return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, err); return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, err);
} }
/* parse the "no-ca-names" bind keyword */
static int ssl_bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
conf->no_ca_names = 1;
return 0;
}
static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, err);
}
/************** "server" keywords ****************/ /************** "server" keywords ****************/
/* parse the "ca-file" server keyword */ /* parse the "ca-file" server keyword */
@ -7957,6 +7970,7 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */ { "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
{ "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */ { "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */
{ "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */ { "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
{ "no-ca-names", ssl_bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
{ "npn", ssl_bind_parse_npn, 1 }, /* set NPN supported protocols */ { "npn", ssl_bind_parse_npn, 1 }, /* set NPN supported protocols */
{ "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */ { "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
{ "ssl-max-ver", ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */ { "ssl-max-ver", ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
@ -7983,6 +7997,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
{ "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */ { "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */
{ "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */ { "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */
{ "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */ { "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */
{ "no-ca-names", bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
{ "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */ { "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
{ "no-tlsv10", bind_parse_tls_method_options, 0 }, /* disable TLSv10 */ { "no-tlsv10", bind_parse_tls_method_options, 0 }, /* disable TLSv10 */
{ "no-tlsv11", bind_parse_tls_method_options, 0 }, /* disable TLSv11 */ { "no-tlsv11", bind_parse_tls_method_options, 0 }, /* disable TLSv11 */