Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 174dfe55a01bca1206d4107bddc2145a3bd2b594^! / . / src / ssl_sock.c
commit174dfe55a01bca1206d4107bddc2145a3bd2b594[log] [tgz]
authorEmmanuel Hocdet <manu@gandi.net>Fri Jul 28 15:01:05 2017 +0200
committerWilly Tarreau <w@1wt.eu>Fri Jul 28 15:20:48 2017 +0200
tree1ef5353877f17efc0ff55fb781851bad99beab62
parent46d5b0872ada05952574f070b751c793ab6af4fc [diff] [blame]
MINOR: ssl: add "no-ca-names" parameter for bind

This option prevent to send CA names in server hello message when
ca-file is used. This parameter is also available in "crt-list".

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 207f427..b4d4e14 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3703,8 +3703,10 @@
 				      curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
 				cfgerr++;
 			}
-			/* set CA names fo client cert request, function returns void */
-			SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+			if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) {
+				/* set CA names for client cert request, function returns void */
+				SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+			}
 		}
 		else {
 			Alert("Proxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
@@ -7045,6 +7047,17 @@
 	return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, err);
 }
 
+/* parse the "no-ca-names" bind keyword */
+static int ssl_bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+{
+	conf->no_ca_names = 1;
+	return 0;
+}
+static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, err);
+}
+
 /************** "server" keywords ****************/
 
 /* parse the "ca-file" server keyword */
@@ -7957,6 +7970,7 @@
 	{ "crl-file",              ssl_bind_parse_crl_file,         1 }, /* set certificat revocation list file use on client cert verify */
 	{ "curves",                ssl_bind_parse_curves,           1 }, /* set SSL curve suite */
 	{ "ecdhe",                 ssl_bind_parse_ecdhe,            1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+	{ "no-ca-names",           ssl_bind_parse_no_ca_names,      0 }, /* do not send ca names to clients (ca_file related) */
 	{ "npn",                   ssl_bind_parse_npn,              1 }, /* set NPN supported protocols */
 	{ "ssl-min-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
 	{ "ssl-max-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
@@ -7983,6 +7997,7 @@
 	{ "force-tlsv12",          bind_parse_tls_method_options, 0 }, /* force TLSv12 */
 	{ "force-tlsv13",          bind_parse_tls_method_options, 0 }, /* force TLSv13 */
 	{ "generate-certificates", bind_parse_generate_certs,     0 }, /* enable the server certificates generation */
+	{ "no-ca-names",           bind_parse_no_ca_names,        0 }, /* do not send ca names to clients (ca_file related) */
 	{ "no-sslv3",              bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
 	{ "no-tlsv10",             bind_parse_tls_method_options, 0 }, /* disable TLSv10 */
 	{ "no-tlsv11",             bind_parse_tls_method_options, 0 }, /* disable TLSv11 */