> Le 13 juin 2017 à 14:13, Wolvers, Bas <[email protected]> a écrit : > > That would do nicely. > > Is there something useful I can do to help? >
Can you test with this patch? :
0001-MINOR-ssl-add-no-ca-names-parameter-for-bind.patch
Description: Binary data
> -----Original Message----- > From: Emmanuel Hocdet [mailto:[email protected]] > Sent: maandag 12 juni 2017 17:58 > To: Wolvers, Bas > Cc: [email protected] > Subject: Re: Feature request: disable CA/distinguished names. > > Thanks for the explanation. > I think a parameter like ‘no-ca-names’ could do the job, or you have a better > name? > > Manu > >> Le 12 juin 2017 à 14:32, Wolvers, Bas <[email protected]> a écrit : >> >> If you connect to a haproxy TLS server with CA names on (verify optional or >> required) part of the server hello message is the list of CA's that are >> accepted. >> The client can use this list to decide which certificate to send as its >> client certificate. >> >> The problem arises when this list if long, the server hello message gets >> really long as well. >> If the list if very long the server hello becomes prohibitively big, making >> client connections fail. >> >> So disabling the list of CA names in the server hello message reduces the >> message size. >> Lots of clients don’t need to be told which certificate to send, and this >> list is optional since TLS1.1 if memory serves me well. >> >> I'm running a system which (for good reason) runs on self-signed >> certificates, so technically I have a CA for every client. >> With more than 30 CA's I had client that have problems connecting because >> the server hello is too big. >> With CA names turned off I tested with 10000 CA's loaded without problems. >> >> -----Original Message----- >> From: Emmanuel Hocdet [mailto:[email protected]] >> Sent: maandag 12 juni 2017 14:22 >> To: Wolvers, Bas >> Cc: [email protected] >> Subject: Re: Feature request: disable CA/distinguished names. >> >> I don't understand. >> CA certs are loaded by haproxy when needed: i.e if 'ca-file’ parameter is >> used and ‘verify’ is set to ‘optional’ or ‘required’. >> >>> Le 12 juin 2017 à 13:00, Wolvers, Bas <[email protected]> a écrit : >>> >>> For setups with large amounts of CA certs it can be a really good idea to >>> turn off CA names in the key exchange. >>> As far as I understand it is optional to send CA names, and it works fine >>> with these turned off. >>> This is also called distinguished names. >>> >>> To do this a single line should not be executed. >>> SSL_CTX_set_client_CA_list(ctx, >>> SSL_load_client_CA_file(ca_file)); >>> (in ssl_sock.c, function ssl_sock_prepare_ctx). >>> >>> I currently disable this with a LD_PRELOAD shim, but I think it would be a >>> good idea to make this an ssl option, similar to force_tls12 etc. >>> >>> /* >>> This shim disables 2 openssl functions. >>> The effect of this is that no client CA names, also known as >>> distingushed names, are loaded this reduces ssl traffic with large >>> numbers of CA certificates. >>> >>> This is made to be used with HAPROXY since it does not have a >>> setting to disable this in the configuration. >>> */ >>> #include <stdio.h> >>> >>> void SSL_CTX_set_client_CA_list(void *one, void *two) { >>> printf("SSL_CTX_set_client_CA_list called but disabled by shim.\n"); >>> return; } void *SSL_load_client_CA_file(void *one) { >>> printf("SSL_load_client_CA_file called but disabled by shim.\n"); >>> return 0; } >>> >> >
