MINOR: ssl: add ssl-skip-self-issued-ca global option

This option activate the feature introduce in commit 16739778:
"MINOR: ssl: skip self issued CA in cert chain for ssl_ctx".
The patch disable the feature per default.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2e548b66c7871beecf3b58b989ca78c08c740afe..a6ff8df34ad41ec8b4e98b85a0e92901af6e3635 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -628,6 +628,7 @@ The following keywords are supported in the "global" section :
    - ssl-default-server-options
    - ssl-dh-param-file
    - ssl-server-verify
+   - ssl-skip-self-issued-ca
    - unix-bind
    - unsetenv
    - 51degrees-data-file
@@ -1370,6 +1371,16 @@ ssl-server-verify [none|required]
   servers certificates are not verified. The default is 'required' except if
   forced using cmdline option '-dV'.
 
+ssl-skip-self-issued-ca
+  Self issued CA, aka x509 root CA, is the enchor for chain validation: as a
+  server is useless to send it, client must have it. Standard configuration
+  need to not include such CA in PEM file. This option allows you to keep such
+  CA in PEM file without sending it to the client. Use case is to provide
+  issuer for ocsp without the need for '.issuer' file and be able to share it
+  with 'issuers-chain-path'. This concerns all certificates without intermediate
+  certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
+  bits does not need it.
+
 stats socket [<address:port>|<path>] [param*]
   Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
   Connections to this socket will return various statistics outputs and even

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9077e91144716ca00abd21cbeef47bb58c4ba2e9..cbb7e2fa21212ecd2b3a3ebd2721b225b0a8e1c9 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -167,6 +167,7 @@ static struct {
        char *crt_base;             /* base directory path for certificates */
        char *ca_base;              /* base directory path for CAs and CRLs */
        char *issuers_chain_path;   /* from "issuers-chain-path" */
+       int  skip_self_issued_ca;
 
        int  async;                 /* whether we use ssl async mode */
 
@@ -3823,7 +3824,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
                for (i = 0; i < sk_X509_num(find_chain); i++) {
                        ca = sk_X509_value(find_chain, i);
                        /* skip self issued (Root CA) */
-                       if (!X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
+                       if (global_ssl.skip_self_issued_ca && !X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
                                continue;
                        /*
                           SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
@@ -10191,6 +10192,15 @@ static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct pr
        return 0;
 }
 
+/* parse the "ssl-skip-self-issued-ca" keyword in global section.  */
+static int ssl_parse_skip_self_issued_ca(char **args, int section_type, struct proxy *curpx,
+                                        struct proxy *defpx, const char *file, int line,
+                                        char **err)
+{
+       global_ssl.skip_self_issued_ca = 1;
+       return 0;
+}
+
 /* "issuers-chain-path" load chain certificate in global */
 static int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err)
 {
@@ -12997,6 +13007,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
 #ifndef OPENSSL_NO_ENGINE
        { CFG_GLOBAL, "ssl-engine",  ssl_parse_global_ssl_engine },
 #endif
+       { CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca },
        { CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },
 #ifndef OPENSSL_NO_DH
        { CFG_GLOBAL, "tune.ssl.default-dh-param", ssl_parse_global_default_dh },