For setups with large amounts of CA certs it can be a really good idea to turn
off CA names in the key exchange.
As far as I understand it is optional to send CA names, and it works fine with
these turned off.
This is also called distinguished names.
To do this a single line should not be executed.
SSL_CTX_set_client_CA_list(ctx,
SSL_load_client_CA_file(ca_file));
(in ssl_sock.c, function ssl_sock_prepare_ctx).
I currently disable this with a LD_PRELOAD shim, but I think it would be a good
idea to make this an ssl option, similar to force_tls12 etc.
/*
This shim disables 2 openssl functions.
The effect of this is that no client CA names,
also known as distingushed names, are loaded
this reduces ssl traffic with large numbers of
CA certificates.
This is made to be used with HAPROXY since it
does not have a setting to disable this in the
configuration.
*/
#include <stdio.h>
void SSL_CTX_set_client_CA_list(void *one, void *two) {
printf("SSL_CTX_set_client_CA_list called but disabled by shim.\n");
return;
}
void *SSL_load_client_CA_file(void *one) {
printf("SSL_load_client_CA_file called but disabled by shim.\n");
return 0;
}
