From: Emmanuel Hocdet <manu@gandi.net>
Date: Fri, 28 Jul 2017 13:01:05 +0000 (+0200)
Subject: MINOR: ssl: add "no-ca-names" parameter for bind
X-Git-Tag: v1.8-dev3~203
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=174dfe55a01bca1206d4107bddc2145a3bd2b594;p=thirdparty%2Fhaproxy.git

MINOR: ssl: add "no-ca-names" parameter for bind

This option prevent to send CA names in server hello message when
ca-file is used. This parameter is also available in "crt-list".
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 4104868351..bfeb3ce0eb 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10418,9 +10418,9 @@ crt-list <file>
 
         <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
 
-  sslbindconf support "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe",
-  "curves", "ciphers" configuration. With BoringSSL "ssl-min-ver" and
-  "ssl-max-ver" are also supported.
+  sslbindconf support "npn", "alpn", "verify", "ca-file", "no-ca-names",
+  crl-file", "ecdhe", "curves", "ciphers" configuration. With BoringSSL
+  "ssl-min-ver" and "ssl-max-ver" are also supported.
   It override the configuration set in bind line for the certificate.
 
   Wildcards are supported in the SNI filter. Negative filter are also supported,
@@ -10601,6 +10601,10 @@ nice <nice>
   it may make sense to use a positive value for an SMTP socket and a negative
   one for an RDP socket.
 
+no-ca-names
+  This setting is only available when support for OpenSSL was built in. It
+  prevents from send CA names in server hello message when ca-file is used.
+
 no-sslv3
   This setting is only available when support for OpenSSL was built in. It
   disables support for SSLv3 on any sockets instantiated from the listener when
diff --git a/include/types/listener.h b/include/types/listener.h
index 9a77e96544..f309c84f0b 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -118,7 +118,8 @@ struct ssl_bind_conf {
 	char *alpn_str;            /* ALPN protocol string */
 	int alpn_len;              /* ALPN protocol string length */
 #endif
-	int verify;                /* verify method (set of SSL_VERIFY_* flags) */
+	int verify:3;              /* verify method (set of SSL_VERIFY_* flags) */
+	int no_ca_names:1;         /* do not send ca names to clients (ca_file related) */
 	char *ca_file;             /* CAfile to use on verify */
 	char *crl_file;            /* CRLfile to use on verify */
 	char *ciphers;             /* cipher suite to use if non-null */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 207f4275a3..b4d4e14fe7 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3703,8 +3703,10 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
 				      curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
 				cfgerr++;
 			}
-			/* set CA names fo client cert request, function returns void */
-			SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+			if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) {
+				/* set CA names for client cert request, function returns void */
+				SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
+			}
 		}
 		else {
 			Alert("Proxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
@@ -7045,6 +7047,17 @@ static int bind_parse_verify(char **args, int cur_arg, struct proxy *px, struct
 	return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, err);
 }
 
+/* parse the "no-ca-names" bind keyword */
+static int ssl_bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+{
+	conf->no_ca_names = 1;
+	return 0;
+}
+static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, err);
+}
+
 /************** "server" keywords ****************/
 
 /* parse the "ca-file" server keyword */
@@ -7957,6 +7970,7 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
 	{ "crl-file",              ssl_bind_parse_crl_file,         1 }, /* set certificat revocation list file use on client cert verify */
 	{ "curves",                ssl_bind_parse_curves,           1 }, /* set SSL curve suite */
 	{ "ecdhe",                 ssl_bind_parse_ecdhe,            1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+	{ "no-ca-names",           ssl_bind_parse_no_ca_names,      0 }, /* do not send ca names to clients (ca_file related) */
 	{ "npn",                   ssl_bind_parse_npn,              1 }, /* set NPN supported protocols */
 	{ "ssl-min-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
 	{ "ssl-max-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
@@ -7983,6 +7997,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
 	{ "force-tlsv12",          bind_parse_tls_method_options, 0 }, /* force TLSv12 */
 	{ "force-tlsv13",          bind_parse_tls_method_options, 0 }, /* force TLSv13 */
 	{ "generate-certificates", bind_parse_generate_certs,     0 }, /* enable the server certificates generation */
+	{ "no-ca-names",           bind_parse_no_ca_names,        0 }, /* do not send ca names to clients (ca_file related) */
 	{ "no-sslv3",              bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
 	{ "no-tlsv10",             bind_parse_tls_method_options, 0 }, /* disable TLSv10 */
 	{ "no-tlsv11",             bind_parse_tls_method_options, 0 }, /* disable TLSv11 */