From: William Lallemand Date: Wed, 25 May 2022 22:18:46 +0000 (+0200) Subject: DOC: configuration: add a warning for @system-ca on bind X-Git-Tag: v2.6-dev12~112 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1639d6c02b30a4effddb702070d10227c34ffa41;p=thirdparty%2Fhaproxy.git DOC: configuration: add a warning for @system-ca on bind Add a warning on @system-ca on the bind line so people don't use it this way. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index d9fd06dbd1..c289523f67 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -13872,6 +13872,13 @@ ca-file CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and .crl" available in the directory, files starting with a dot are ignored. + Warning: The "@system-ca" parameter could be used in place of the cafile + in order to use the trusted CAs of your system, like its done with the server + directive. But you mustn't use it unless you know what you are doing. + Configuring it this way basically mean that the bind will accept any client + certificate generated from one of the CA present on your system, which is + extremely unsecure. + ca-ignore-err [all|,...] This setting is only available when support for OpenSSL was built in. Sets a comma separated list of errorIDs to ignore during verify at depth > 0.