On Fri, Jul 10, 2020 at 3:51 PM William Lallemand <[email protected]> wrote:
> Hello, > > > On Sun, Jul 05, 2020 at 09:43:22AM +0300, [email protected] wrote: > > From: Shimi Gersner <[email protected]> > > > > haproxy supports generating SSL certificates based on SNI using a > provided > > CA signing certificate. Because CA certificates may be signed by multiple > > CAs, in some scenarios, it is neccesary for the server to attach the > trust chain > > in addition to the generated certificate. > > > > The following patch adds the ability to optionally serve all public > > certificates provided in the `ca-sign-file` PEM file. > > Certificate loading was ported to use `ca_sign_use_chain` structure, > > instead of directly reading public/private keys. > > > Totally make sense in my opinion. But if I understand correctly you only > need the certificate to be signed by the leaf CA in the chain and > provides all the chain to the client. We probably don't need a new > option for this. > > So what I suggest is to put the chain in the "ca-sign-file" so it will > works the same way as the "crt" keyword. > > Yes, that is how it is currently implemented, chain is read from "ca-sign-file". I wasn't worried too much, but felt it's better not to introduce a potential change in behaviour and disabled this by default. I'm going forward with enabling this by default and removing the flag - Is that correct? > > > --- > > doc/configuration.txt | 8 +++ > > include/haproxy/listener-t.h | 4 +- > > src/cfgparse-ssl.c | 13 +++++ > > src/ssl_sock.c | 98 ++++++++++++++++++++---------------- > > 4 files changed, 78 insertions(+), 45 deletions(-) > > > > diff --git a/doc/configuration.txt b/doc/configuration.txt > > index 6d472134e..1d3878bc1 100644 > > --- a/doc/configuration.txt > > +++ b/doc/configuration.txt > > @@ -12158,6 +12158,14 @@ ca-sign-pass <passphrase> > > the dynamic generation of certificates is enabled. See > > 'generate-certificates' for details. > > > > +ca-sign-use-chain > > + This setting is only available when support for OpenSSL was built in. > It is > > + the CA private key passphrase. This setting is optional and used only > when > > Copy-paste error there :-) > Ack! > > > + the dynamic generation of certificates is enabled. See > > + 'generate-certificates' for details. > > + Enabling this flag will attach all public certificates encoded in > `ca-sign-file` > > + to the served certificate to the client, enabling trust. > > + > > -- > William Lallemand >
