From: William Lallemand Date: Tue, 21 May 2024 15:49:58 +0000 (+0200) Subject: DOC: configuration: update the crt-list documentation X-Git-Tag: v3.0-dev13~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e732de7db2da814a9b48c7664cd7785f031c429f;p=thirdparty%2Fhaproxy.git DOC: configuration: update the crt-list documentation Update the crt-list documentation with the supported keywords. Also format it in a more clear way. Must be backported to 2.8. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index b17b33a471..04a55ae947 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -16025,11 +16025,28 @@ crt-list [\[ ...\]] [[!] ...] - sslbindconf supports "allow-0rtt", "alpn", "ca-file", "ca-verify-file", - "ciphers", "ciphersuites", "crl-file", "curves", "ecdhe", "no-ca-names", - "npn", "verify" configuration. With BoringSSL and Openssl >= 1.1.1 - "ssl-min-ver" and "ssl-max-ver" are also supported. It overrides the - configuration set in bind line for the certificate. + sslbindconf supports the following keywords from the bind line + (see Section 5.1. Bind options): + + - allow-0rtt + - alpn + - ca-file + - ca-verify-file + - ciphers + - ciphersuites + - client-sigalgs + - crl-file + - curves + - ecdhe + - no-alpn + - no-ca-names + - npn + - sigalgs + - ssl-min-ver + - ssl-max-ver + - verify + + It overrides the configuration set in bind line for the certificate. Wildcards are supported in the SNI filter. Negative filter are also supported, useful in combination with a wildcard filter to exclude a particular SNI, or diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index b3bba82690..e7a7d471bd 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -2157,7 +2157,12 @@ static int ssl_parse_skip_self_issued_ca(char **args, int section_type, struct p */ /* the keywords are used for crt-list parsing, they *MUST* be safe - * with their proxy argument NULL and must only fill the ssl_bind_conf */ + * with their proxy argument NULL and must only fill the ssl_bind_conf + * + * /!\ Please update configuration.txt at the crt-list option of the Bind options + * section when adding a keyword in ssl_crtlist_kws. /!\ + * + */ struct ssl_crtlist_kw ssl_crtlist_kws[] = { { "allow-0rtt", ssl_bind_parse_allow_0rtt, 0 }, /* allow 0-RTT */ { "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */