MINOR: ssl: add "no-ca-names" parameter for bind

This option prevent to send CA names in server hello message when
ca-file is used. This parameter is also available in "crt-list".

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 4104868351d13ff67d7f7473a2443f9d25399f36..bfeb3ce0ebfbe1c2316a8d9fa479175dc82be4ac 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10418,9 +10418,9 @@ crt-list <file>
 
         <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
 
-  sslbindconf support "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe",
-  "curves", "ciphers" configuration. With BoringSSL "ssl-min-ver" and
-  "ssl-max-ver" are also supported.
+  sslbindconf support "npn", "alpn", "verify", "ca-file", "no-ca-names",
+  crl-file", "ecdhe", "curves", "ciphers" configuration. With BoringSSL
+  "ssl-min-ver" and "ssl-max-ver" are also supported.
   It override the configuration set in bind line for the certificate.
 
   Wildcards are supported in the SNI filter. Negative filter are also supported,
@@ -10601,6 +10601,10 @@ nice <nice>
   it may make sense to use a positive value for an SMTP socket and a negative
   one for an RDP socket.
 
+no-ca-names
+  This setting is only available when support for OpenSSL was built in. It
+  prevents from send CA names in server hello message when ca-file is used.
+
 no-sslv3
   This setting is only available when support for OpenSSL was built in. It
   disables support for SSLv3 on any sockets instantiated from the listener when

diff --git a/include/types/listener.h b/include/types/listener.h
index 9a77e96544287d915777700301d23eec38d08c8c..f309c84f0bff7d3015d2c27846330b06099489c5 100644 (file)
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -118,7 +118,8 @@ struct ssl_bind_conf {
        char *alpn_str;            /* ALPN protocol string */
        int alpn_len;              /* ALPN protocol string length */
 #endif
-       int verify;                /* verify method (set of SSL_VERIFY_* flags) */
+       int verify:3;              /* verify method (set of SSL_VERIFY_* flags) */
+       int no_ca_names:1;         /* do not send ca names to clients (ca_file related) */
        char *ca_file;             /* CAfile to use on verify */
        char *crl_file;            /* CRLfile to use on verify */
        char *ciphers;             /* cipher suite to use if non-null */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 207f4275a376b384470ed10960362a3c999627bd..b4d4e14fe79a6df4def05fb515aafcde44852713 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3703,8 +3703,10 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
                                      curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
                                cfgerr++;
                        }
-                       /* set CA names fo client cert request, function returns void */
-                       SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+                       if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) {
+                               /* set CA names for client cert request, function returns void */
+                               SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+                       }
                }
                else {
                        Alert("Proxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
@@ -7045,6 +7047,17 @@ static int bind_parse_verify(char **args, int cur_arg, struct proxy *px, struct
        return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, err);
 }
 
+/* parse the "no-ca-names" bind keyword */
+static int ssl_bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+{
+       conf->no_ca_names = 1;
+       return 0;
+}
+static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+       return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, err);
+}
+
 /************** "server" keywords ****************/
 
 /* parse the "ca-file" server keyword */
@@ -7957,6 +7970,7 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
        { "crl-file",              ssl_bind_parse_crl_file,         1 }, /* set certificat revocation list file use on client cert verify */
        { "curves",                ssl_bind_parse_curves,           1 }, /* set SSL curve suite */
        { "ecdhe",                 ssl_bind_parse_ecdhe,            1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+       { "no-ca-names",           ssl_bind_parse_no_ca_names,      0 }, /* do not send ca names to clients (ca_file related) */
        { "npn",                   ssl_bind_parse_npn,              1 }, /* set NPN supported protocols */
        { "ssl-min-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
        { "ssl-max-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
@@ -7983,6 +7997,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
        { "force-tlsv12",          bind_parse_tls_method_options, 0 }, /* force TLSv12 */
        { "force-tlsv13",          bind_parse_tls_method_options, 0 }, /* force TLSv13 */
        { "generate-certificates", bind_parse_generate_certs,     0 }, /* enable the server certificates generation */
+       { "no-ca-names",           bind_parse_no_ca_names,        0 }, /* do not send ca names to clients (ca_file related) */
        { "no-sslv3",              bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
        { "no-tlsv10",             bind_parse_tls_method_options, 0 }, /* disable TLSv10 */
        { "no-tlsv11",             bind_parse_tls_method_options, 0 }, /* disable TLSv11 */