Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.
вт, 18 февр. 2020 г. в 21:44, Emmanuel Hocdet : > > > Le 18 févr. 2020 à 14:36, William Lallemand a > écrit : > > > > On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote: > >> > >>> Le 18 févr. 2020 à 11:45, Emmanuel Hocdet a écrit : > >>> > Can you add a little bit of explanation on how the discovery of the > issuer is done in the documentation? > > >>> ok > >> > >> > >> documentation updated: > >> > > > > Thanks Manu! > > > > Merged and pushed in master. > > > src/ssl_sock.c:9860:15: error: format string is not a string literal (potentially insecure) [-Werror,-Wformat-security] ha_warning(warn); ^~~~ src/ssl_sock.c:9860:15: note: treat the string as an argument to avoid this ha_warning(warn); ^ "%s", > > w00t! > Thanks > > Manu > > >
Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.
> Le 18 févr. 2020 à 14:36, William Lallemand a écrit : > > On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote: >> >>> Le 18 févr. 2020 à 11:45, Emmanuel Hocdet a écrit : >>> Can you add a little bit of explanation on how the discovery of the issuer is done in the documentation? >>> ok >> >> >> documentation updated: >> > > Thanks Manu! > > Merged and pushed in master. > w00t! Thanks Manu
Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.
On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote: > > > Le 18 févr. 2020 à 11:45, Emmanuel Hocdet a écrit : > > > >> Can you add a little bit of explanation on how the discovery of the > >> issuer is done in the documentation? > >> > > ok > > > documentation updated: > Thanks Manu! Merged and pushed in master. -- William Lallemand
Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.
Le 18 févr. 2020 à 11:45, Emmanuel Hocdeta écrit :Can you add a little bit of explanation on how the discovery of theissuer is done in the documentation?okdocumentation updated: 0001-MINOR-ssl-add-issuers-chain-path-directive.patch Description: Binary data
Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.
Hi William > Le 14 févr. 2020 à 15:59, William Lallemand a écrit : > > On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote: >> Hi, >> >> Is there any hope that this proposal will be considered before HAproxy 2.2? >> >> ++ >> Manu > > Hello, > > I'm ok with the feature itself. I'm still not fond of an > "auto-discovery" based on the SKID, but I agree that's probably the most > convenient way of doing it for the user. > great news > The way it's done we won't be able to change the issuers from the CLI > easily, but these files don't change too often so that's not a problem > at the moment. > I agree. > Can you add a little bit of explanation on how the discovery of the > issuer is done in the documentation? > ok > I think we will probably need more information in the "show ssl cert" > output in the future so the users can debug this kind of feature easily. > Yes. Show the chain-filename would be very helpful. For that i think a good way would be to keep ckch->chain and ckch->issuer with value (or NULL) from PEM/, and resolve chain and ocsp_issuer when needed. « show ssl cert » will be able to find the origin of chain (and ocsp_issuer) without store a new state. The drawback(?) is that .issuer file will be loaded, in every case, if present. Something like i do for ‘chain’ directive POC: https://github.com/ehocdet/haproxy/commits/chain ++ Manu
Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.
On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote: > Hi, > > Is there any hope that this proposal will be considered before HAproxy 2.2? > > ++ > Manu Hello, I'm ok with the feature itself. I'm still not fond of an "auto-discovery" based on the SKID, but I agree that's probably the most convenient way of doing it for the user. The way it's done we won't be able to change the issuers from the CLI easily, but these files don't change too often so that's not a problem at the moment. Can you add a little bit of explanation on how the discovery of the issuer is done in the documentation? I think we will probably need more information in the "show ssl cert" output in the future so the users can debug this kind of feature easily. Thanks, -- William Lallemand
Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.
Hi, Is there any hope that this proposal will be considered before HAproxy 2.2? ++ Manu > Le 31 janv. 2020 à 16:06, Emmanuel Hocdet a écrit : > > >> Le 31 janv. 2020 à 12:22, Emmanuel Hocdet a écrit : > >> >> I will send a new patch for « issuers-chain-path » with corrections. >> > > > > <0001-MINOR-ssl-add-issuers-chain-path-directive.patch>