Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / b6ae2aafde4373c6959a9937878189b75936a009^! / . / doc / configuration.txt
commitb6ae2aafde4373c6959a9937878189b75936a009[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Fri May 05 00:05:46 2023 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Fri May 05 00:05:46 2023 +0200
tree34407d073d3163f64ec542aa149054edb558836c
parent1d3c822300003bf40f4d723109c690ad2944baf2 [diff] [blame]
MINOR: ssl: allow to change the signature algorithm for client authentication

This commit introduces the keyword "client-sigalgs" for the bind line,
which does the same as "sigalgs" but for the client authentication.

"ssl-default-bind-client-sigalgs" allows to set the default parameter
for all the bind lines.

This patch should fix issue #2081.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 0111b61..7926b72 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -1095,6 +1095,7 @@
    - setenv
    - ssl-default-bind-ciphers
    - ssl-default-bind-ciphersuites
+   - ssl-default-bind-client-sigalgs
    - ssl-default-bind-curves
    - ssl-default-bind-options
    - ssl-default-bind-sigalgs
@@ -2168,6 +2169,21 @@
   "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
   information.
 
+ssl-default-bind-client-sigalgs <sigalgs>
+  This setting is only available when support for OpenSSL was built in. It sets
+  the default string describing the list of signature algorithms related to
+  client authentication for all "bind" lines which do not explicitly define
+  theirs. The format of the string is a colon-delimited list of signature
+  algorithms. Each signature algorithm can use one of two forms: TLS1.3 signature
+  scheme names ("rsa_pss_rsae_sha256") or the public key algorithm + digest form
+  ("ECDSA+SHA256"). A list can contain both forms. For more information on the
+  format, see SSL_CTX_set1_client_sigalgs(3). A list of signature algorithms is
+  also available in RFC8446 section 4.2.3 and in OpenSSL in the ssl/t1_lib.c
+  file.  This setting is not applicable to TLSv1.1 and earlier versions of the
+  protocol as the signature algorithms aren't separately negotiated in these
+  versions. It is not recommended to change this setting unless compatibility
+  with a middlebox is required.
+
 ssl-default-bind-curves <curves>
   This setting is only available when support for OpenSSL was built in. It sets
   the default string describing the list of elliptic curves algorithms ("curve
@@ -14809,6 +14825,13 @@
   OpenSSL man pages under the "ciphersuites" section. For cipher configuration
   for TLSv1.2 and earlier, please check the "ciphers" keyword.
 
+client-sigalgs <sigalgs>
+  This setting is only available when support for OpenSSL was built in. It sets
+  the string describing the list of signature algorithms related to client
+  authentication that are negotiated . The format of the string is defined in
+  "man 3 SSL_CTX_set1_client_sigalgs" from the OpenSSL man pages. It is not
+  recommended to use this setting if no specific usecase was identified.
+
 crl-file <crlfile>
   This setting is only available when support for OpenSSL was built in. It
   designates a PEM file from which to load certificate revocation list used