MINOR: ssl: add "no-ca-names" parameter for bind

This option prevent to send CA names in server hello message when ca-file is used. This parameter is also available in "crt-list".
2025-02-21 13:16:57 +00:00 · 2017-07-28 15:01:05 +02:00 · 2017-07-28 15:01:05 +02:00 · 174dfe55a0
commit 174dfe55a0
parent 46d5b0872a
3 changed files with 26 additions and 6 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -10418,9 +10418,9 @@ crt-list <file>

        <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]

-  sslbindconf support "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe",
-  "curves", "ciphers" configuration. With BoringSSL "ssl-min-ver" and
-  "ssl-max-ver" are also supported.
+  sslbindconf support "npn", "alpn", "verify", "ca-file", "no-ca-names",
+  crl-file", "ecdhe", "curves", "ciphers" configuration. With BoringSSL
+  "ssl-min-ver" and "ssl-max-ver" are also supported.
  It override the configuration set in bind line for the certificate.

  Wildcards are supported in the SNI filter. Negative filter are also supported,
@ -10601,6 +10601,10 @@ nice <nice>
  it may make sense to use a positive value for an SMTP socket and a negative
  one for an RDP socket.

+no-ca-names
+  This setting is only available when support for OpenSSL was built in. It
+  prevents from send CA names in server hello message when ca-file is used.
+
 no-sslv3
  This setting is only available when support for OpenSSL was built in. It
  disables support for SSLv3 on any sockets instantiated from the listener when
--- a/include/types/listener.h
+++ b/include/types/listener.h
@ -118,7 +118,8 @@ struct ssl_bind_conf {
 	char *alpn_str;            /* ALPN protocol string */
 	int alpn_len;              /* ALPN protocol string length */
 #endif
-	int verify;                /* verify method (set of SSL_VERIFY_* flags) */
+	int verify:3;              /* verify method (set of SSL_VERIFY_* flags) */
+	int no_ca_names:1;         /* do not send ca names to clients (ca_file related) */
 	char *ca_file;             /* CAfile to use on verify */
 	char *crl_file;            /* CRLfile to use on verify */
 	char *ciphers;             /* cipher suite to use if non-null */
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -3703,8 +3703,10 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
 				      curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
 				cfgerr++;
 			}
-			/* set CA names fo client cert request, function returns void */
-			SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+			if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) {
+				/* set CA names for client cert request, function returns void */
+				SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+			}
 		}
 		else {
 			Alert("Proxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
@ -7045,6 +7047,17 @@ static int bind_parse_verify(char **args, int cur_arg, struct proxy *px, struct
 	return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, err);
 }

+/* parse the "no-ca-names" bind keyword */
+static int ssl_bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+{
+	conf->no_ca_names = 1;
+	return 0;
+}
+static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, err);
+}
+
 /************** "server" keywords ****************/

 /* parse the "ca-file" server keyword */
@ -7957,6 +7970,7 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
 	{ "crl-file",              ssl_bind_parse_crl_file,         1 }, /* set certificat revocation list file use on client cert verify */
 	{ "curves",                ssl_bind_parse_curves,           1 }, /* set SSL curve suite */
 	{ "ecdhe",                 ssl_bind_parse_ecdhe,            1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+	{ "no-ca-names",           ssl_bind_parse_no_ca_names,      0 }, /* do not send ca names to clients (ca_file related) */
 	{ "npn",                   ssl_bind_parse_npn,              1 }, /* set NPN supported protocols */
 	{ "ssl-min-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
 	{ "ssl-max-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
@ -7983,6 +7997,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
 	{ "force-tlsv12",          bind_parse_tls_method_options, 0 }, /* force TLSv12 */
 	{ "force-tlsv13",          bind_parse_tls_method_options, 0 }, /* force TLSv13 */
 	{ "generate-certificates", bind_parse_generate_certs,     0 }, /* enable the server certificates generation */
+	{ "no-ca-names",           bind_parse_no_ca_names,        0 }, /* do not send ca names to clients (ca_file related) */
 	{ "no-sslv3",              bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
 	{ "no-tlsv10",             bind_parse_tls_method_options, 0 }, /* disable TLSv10 */
 	{ "no-tlsv11",             bind_parse_tls_method_options, 0 }, /* disable TLSv11 */