MINOR: ssl: add ssl-skip-self-issued-ca global option
This option activate the feature introduce in commit 16739778:
"MINOR: ssl: skip self issued CA in cert chain for ssl_ctx".
The patch disable the feature per default.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2e548b6..a6ff8df 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -628,6 +628,7 @@
- ssl-default-server-options
- ssl-dh-param-file
- ssl-server-verify
+ - ssl-skip-self-issued-ca
- unix-bind
- unsetenv
- 51degrees-data-file
@@ -1370,6 +1371,16 @@
servers certificates are not verified. The default is 'required' except if
forced using cmdline option '-dV'.
+ssl-skip-self-issued-ca
+ Self issued CA, aka x509 root CA, is the enchor for chain validation: as a
+ server is useless to send it, client must have it. Standard configuration
+ need to not include such CA in PEM file. This option allows you to keep such
+ CA in PEM file without sending it to the client. Use case is to provide
+ issuer for ocsp without the need for '.issuer' file and be able to share it
+ with 'issuers-chain-path'. This concerns all certificates without intermediate
+ certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
+ bits does not need it.
+
stats socket [<address:port>|<path>] [param*]
Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
Connections to this socket will return various statistics outputs and even
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9077e91..cbb7e2f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -167,6 +167,7 @@
char *crt_base; /* base directory path for certificates */
char *ca_base; /* base directory path for CAs and CRLs */
char *issuers_chain_path; /* from "issuers-chain-path" */
+ int skip_self_issued_ca;
int async; /* whether we use ssl async mode */
@@ -3823,7 +3824,7 @@
for (i = 0; i < sk_X509_num(find_chain); i++) {
ca = sk_X509_value(find_chain, i);
/* skip self issued (Root CA) */
- if (!X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
+ if (global_ssl.skip_self_issued_ca && !X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
continue;
/*
SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
@@ -10191,6 +10192,15 @@
return 0;
}
+/* parse the "ssl-skip-self-issued-ca" keyword in global section. */
+static int ssl_parse_skip_self_issued_ca(char **args, int section_type, struct proxy *curpx,
+ struct proxy *defpx, const char *file, int line,
+ char **err)
+{
+ global_ssl.skip_self_issued_ca = 1;
+ return 0;
+}
+
/* "issuers-chain-path" load chain certificate in global */
static int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err)
{
@@ -12997,6 +13007,7 @@
#ifndef OPENSSL_NO_ENGINE
{ CFG_GLOBAL, "ssl-engine", ssl_parse_global_ssl_engine },
#endif
+ { CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca },
{ CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },
#ifndef OPENSSL_NO_DH
{ CFG_GLOBAL, "tune.ssl.default-dh-param", ssl_parse_global_default_dh },