I don't understand. CA certs are loaded by haproxy when needed: i.e if 'ca-file’ parameter is used and ‘verify’ is set to ‘optional’ or ‘required’.
> Le 12 juin 2017 à 13:00, Wolvers, Bas <[email protected]> a écrit : > > For setups with large amounts of CA certs it can be a really good idea to > turn off CA names in the key exchange. > As far as I understand it is optional to send CA names, and it works fine > with these turned off. > This is also called distinguished names. > > To do this a single line should not be executed. > SSL_CTX_set_client_CA_list(ctx, > SSL_load_client_CA_file(ca_file)); > (in ssl_sock.c, function ssl_sock_prepare_ctx). > > I currently disable this with a LD_PRELOAD shim, but I think it would be a > good idea to make this an ssl option, similar to force_tls12 etc. > > /* > This shim disables 2 openssl functions. > The effect of this is that no client CA names, > also known as distingushed names, are loaded > this reduces ssl traffic with large numbers of > CA certificates. > > This is made to be used with HAPROXY since it > does not have a setting to disable this in the > configuration. > */ > #include <stdio.h> > > void SSL_CTX_set_client_CA_list(void *one, void *two) { > printf("SSL_CTX_set_client_CA_list called but disabled by shim.\n"); > return; > } > void *SSL_load_client_CA_file(void *one) { > printf("SSL_load_client_CA_file called but disabled by shim.\n"); > return 0; > } >
