Hello,
On Sun, Jul 05, 2020 at 09:43:22AM +0300, [email protected] wrote: > From: Shimi Gersner <[email protected]> > > haproxy supports generating SSL certificates based on SNI using a provided > CA signing certificate. Because CA certificates may be signed by multiple > CAs, in some scenarios, it is neccesary for the server to attach the trust > chain > in addition to the generated certificate. > > The following patch adds the ability to optionally serve all public > certificates provided in the `ca-sign-file` PEM file. > Certificate loading was ported to use `ca_sign_use_chain` structure, > instead of directly reading public/private keys. Totally make sense in my opinion. But if I understand correctly you only need the certificate to be signed by the leaf CA in the chain and provides all the chain to the client. We probably don't need a new option for this. So what I suggest is to put the chain in the "ca-sign-file" so it will works the same way as the "crt" keyword. > --- > doc/configuration.txt | 8 +++ > include/haproxy/listener-t.h | 4 +- > src/cfgparse-ssl.c | 13 +++++ > src/ssl_sock.c | 98 ++++++++++++++++++++---------------- > 4 files changed, 78 insertions(+), 45 deletions(-) > > diff --git a/doc/configuration.txt b/doc/configuration.txt > index 6d472134e..1d3878bc1 100644 > --- a/doc/configuration.txt > +++ b/doc/configuration.txt > @@ -12158,6 +12158,14 @@ ca-sign-pass <passphrase> > the dynamic generation of certificates is enabled. See > 'generate-certificates' for details. > > +ca-sign-use-chain > + This setting is only available when support for OpenSSL was built in. It is > + the CA private key passphrase. This setting is optional and used only when Copy-paste error there :-) > + the dynamic generation of certificates is enabled. See > + 'generate-certificates' for details. > + Enabling this flag will attach all public certificates encoded in > `ca-sign-file` > + to the served certificate to the client, enabling trust. > + -- William Lallemand
