Hi Willy
thanks!
> Le 28 juil. 2017 à 15:23, Willy TARREAU a écrit :
>
> Hi Manu,
>
> thanks you!
>
> I've just applied a minor change below :
>
> - int verify:2; /* verify method (set of SSL_VERIFY_* flags)
> */
> + int verify:3; /* verify method (set of S
Hi Manu,
thanks you!
I've just applied a minor change below :
- int verify:2; /* verify method (set of SSL_VERIFY_* flags)
*/
+ int verify:3; /* verify method (set of SSL_VERIFY_* flags)
*/
I've put 3 bits for verify instead of 2 because while apparently
Hi Emeric
Thanks for the review
patch with ‘{}’ include
++
Manu
0001-MINOR-ssl-add-no-ca-names-parameter-for-bind.patch
Description: Binary data
> Le 27 juil. 2017 à 18:47, Emeric Brun a écrit :
>
> Hi Manu,
>
>
> Could you add a block '{ }' or move the comment on the comment on follow
On Thu, Jul 27, 2017 at 06:47:38PM +0200, Emeric Brun wrote:
> A second point, i don't know which is the current policy about the keyword
> prefix "no-" in configuration statements, but
> we usually take care using this word.
>
> Willy, would you clarify that point?
In fact we were very careful
Hi Manu,
Could you add a block '{ }' or move the comment on the comment on following
lines:
+ if (!((ssl_conf && ssl_conf->no_ca_names) ||
bind_conf->ssl_conf.no_ca_names))
+ /* set CA names fo client cert request,
function returns void */
+
dev will be a good step.
Emeric or Willy must find time to review and consider the merge.
++
Manu
> Best regards,
>
> Bas
>
> -Original Message-
> From: Emmanuel Hocdet [mailto:m...@gandi.net]
> Sent: maandag 10 juli 2017 17:46
> To: Wolvers, Bas
> Cc: haproxy@
ormilux.org
Subject: Re: Feature request: disable CA/distinguished names.
Hi Bas,
> Le 10 juil. 2017 à 17:05, Wolvers, Bas a écrit :
>
> Hi Emmanuel,
>
> I finally found time to test your patch.
>
> It works, but you can't seem to turn it off.
> no-ca-names seems to b
Hi Bas,
> Le 10 juil. 2017 à 17:05, Wolvers, Bas a écrit :
>
> Hi Emmanuel,
>
> I finally found time to test your patch.
>
> It works, but you can't seem to turn it off.
> no-ca-names seems to be active regardless of the option in the config file.
>
oops i fail the double negation.
fix patc
it limited unfortunately.
Best regards,
Bas
-Original Message-
From: Emmanuel Hocdet [mailto:m...@gandi.net]
Sent: dinsdag 13 juni 2017 15:39
To: Wolvers, Bas
Cc: haproxy@formilux.org
Subject: Re: Feature request: disable CA/distinguished names.
> Le 13 juin 2017 à 14:13, Wolvers, Bas a écri
> From: Emmanuel Hocdet [mailto:m...@gandi.net]
> Sent: maandag 12 juni 2017 17:58
> To: Wolvers, Bas
> Cc: haproxy@formilux.org
> Subject: Re: Feature request: disable CA/distinguished names.
>
> Thanks for the explanation.
> I think a parameter like ‘no-ca-names’ c
That would do nicely.
Is there something useful I can do to help?
-Original Message-
From: Emmanuel Hocdet [mailto:m...@gandi.net]
Sent: maandag 12 juni 2017 17:58
To: Wolvers, Bas
Cc: haproxy@formilux.org
Subject: Re: Feature request: disable CA/distinguished names.
Thanks for the
big.
> With CA names turned off I tested with 1 CA's loaded without problems.
>
> -Original Message-
> From: Emmanuel Hocdet [mailto:m...@gandi.net]
> Sent: maandag 12 juni 2017 14:22
> To: Wolvers, Bas
> Cc: haproxy@formilux.org
> Subject: Re: Feature request:
er hello is too big.
With CA names turned off I tested with 1 CA's loaded without problems.
-Original Message-
From: Emmanuel Hocdet [mailto:m...@gandi.net]
Sent: maandag 12 juni 2017 14:22
To: Wolvers, Bas
Cc: haproxy@formilux.org
Subject: Re: Feature request: disable CA/distingui
I don't understand.
CA certs are loaded by haproxy when needed: i.e if 'ca-file’ parameter is used
and ‘verify’ is set to ‘optional’ or ‘required’.
> Le 12 juin 2017 à 13:00, Wolvers, Bas a écrit :
>
> For setups with large amounts of CA certs it can be a really good idea to
> turn off CA name
For setups with large amounts of CA certs it can be a really good idea to turn
off CA names in the key exchange.
As far as I understand it is optional to send CA names, and it works fine with
these turned off.
This is also called distinguished names.
To do this a single line should not be execut
15 matches
Mail list logo