MINOR: ssl: add "no-ca-names" parameter for bind
This option prevent to send CA names in server hello message when
ca-file is used. This parameter is also available in "crt-list".
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 4104868..bfeb3ce 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10418,9 +10418,9 @@
<crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
- sslbindconf support "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe",
- "curves", "ciphers" configuration. With BoringSSL "ssl-min-ver" and
- "ssl-max-ver" are also supported.
+ sslbindconf support "npn", "alpn", "verify", "ca-file", "no-ca-names",
+ crl-file", "ecdhe", "curves", "ciphers" configuration. With BoringSSL
+ "ssl-min-ver" and "ssl-max-ver" are also supported.
It override the configuration set in bind line for the certificate.
Wildcards are supported in the SNI filter. Negative filter are also supported,
@@ -10601,6 +10601,10 @@
it may make sense to use a positive value for an SMTP socket and a negative
one for an RDP socket.
+no-ca-names
+ This setting is only available when support for OpenSSL was built in. It
+ prevents from send CA names in server hello message when ca-file is used.
+
no-sslv3
This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instantiated from the listener when
diff --git a/include/types/listener.h b/include/types/listener.h
index 9a77e96..f309c84 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -118,7 +118,8 @@
char *alpn_str; /* ALPN protocol string */
int alpn_len; /* ALPN protocol string length */
#endif
- int verify; /* verify method (set of SSL_VERIFY_* flags) */
+ int verify:3; /* verify method (set of SSL_VERIFY_* flags) */
+ int no_ca_names:1; /* do not send ca names to clients (ca_file related) */
char *ca_file; /* CAfile to use on verify */
char *crl_file; /* CRLfile to use on verify */
char *ciphers; /* cipher suite to use if non-null */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 207f427..b4d4e14 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3703,8 +3703,10 @@
curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
}
- /* set CA names fo client cert request, function returns void */
- SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+ if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) {
+ /* set CA names for client cert request, function returns void */
+ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+ }
}
else {
Alert("Proxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
@@ -7045,6 +7047,17 @@
return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, err);
}
+/* parse the "no-ca-names" bind keyword */
+static int ssl_bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+{
+ conf->no_ca_names = 1;
+ return 0;
+}
+static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, err);
+}
+
/************** "server" keywords ****************/
/* parse the "ca-file" server keyword */
@@ -7957,6 +7970,7 @@
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
{ "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */
{ "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+ { "no-ca-names", ssl_bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
{ "npn", ssl_bind_parse_npn, 1 }, /* set NPN supported protocols */
{ "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
{ "ssl-max-ver", ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
@@ -7983,6 +7997,7 @@
{ "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */
{ "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */
{ "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */
+ { "no-ca-names", bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
{ "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
{ "no-tlsv10", bind_parse_tls_method_options, 0 }, /* disable TLSv10 */
{ "no-tlsv11", bind_parse_tls_method_options, 0 }, /* disable TLSv11 */