git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Christopher Faulet <cfaulet@qualys.com>
	Tue, 9 Jun 2015 15:29:50 +0000 (17:29 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Fri, 12 Jun 2015 16:06:59 +0000 (18:06 +0200)
commit	31af49d62bb398f43d0e955ebf9a7157c38e2d56
tree	cb25a102996b93450fa5254ae65f47a8672e1a4c	tree
parent	92939d20facb6fef1da94bcb21f043f1d5e09eca	commit \| diff

MEDIUM: ssl: Add options to forge SSL certificates

With this patch, it is possible to configure HAProxy to forge the SSL
certificate sent to a client using the SNI servername. We do it in the SNI
callback.

To enable this feature, you must pass following BIND options:

* ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and
   the CA private key to create and sign server's certificates.

* (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if
   any.

* generate-certificates: Enable the dynamic generation of certificates for a
   listener.

Because generating certificates is expensive, there is a LRU cache to store
them. Its size can be customized by setting the global parameter
'tune.ssl.ssl-ctx-cache-size'.

doc/configuration.txt		diff \| blob \| blame \| history
include/common/defaults.h		diff \| blob \| blame \| history
include/proto/ssl_sock.h		diff \| blob \| blame \| history
include/types/global.h		diff \| blob \| blame \| history
include/types/listener.h		diff \| blob \| blame \| history
src/cfgparse.c		diff \| blob \| blame \| history
src/haproxy.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history