Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

2020-02-18 Thread Илья Шипицин 
вт, 18 февр. 2020 г. в 21:44, Emmanuel Hocdet :

>
> > Le 18 févr. 2020 à 14:36, William Lallemand  a
> écrit :
> >
> > On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote:
> >>
> >>> Le 18 févr. 2020 à 11:45, Emmanuel Hocdet  a écrit :
> >>>
>  Can you add a little bit of explanation on how the discovery of the
>  issuer is done in the documentation?
> 
> >>> ok
> >>
> >>
> >> documentation updated:
> >>
> >
> > Thanks Manu!
> >
> > Merged and pushed in master.
> >
>

src/ssl_sock.c:9860:15: error: format string is not a string literal
(potentially insecure) [-Werror,-Wformat-security]

ha_warning(warn);

   ^~~~

src/ssl_sock.c:9860:15: note: treat the string as an argument to avoid this

ha_warning(warn);

   ^

   "%s",



>
> w00t!
> Thanks
>
> Manu
>
>
>

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

2020-02-18 Thread Emmanuel Hocdet 


> Le 18 févr. 2020 à 14:36, William Lallemand  a écrit :
> 
> On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote:
>> 
>>> Le 18 févr. 2020 à 11:45, Emmanuel Hocdet  a écrit :
>>> 
 Can you add a little bit of explanation on how the discovery of the
 issuer is done in the documentation?
 
>>> ok
>> 
>> 
>> documentation updated:
>> 
> 
> Thanks Manu!
> 
> Merged and pushed in master.
> 

w00t!
Thanks

Manu

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

2020-02-18 Thread William Lallemand 
On Tue, Feb 18, 2020 at 01:58:39PM +0100, Emmanuel Hocdet wrote:
> 
> > Le 18 févr. 2020 à 11:45, Emmanuel Hocdet  a écrit :
> > 
> >> Can you add a little bit of explanation on how the discovery of the
> >> issuer is done in the documentation?
> >> 
> > ok
> 
> 
> documentation updated:
> 

Thanks Manu!

Merged and pushed in master.

-- 
William Lallemand

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

2020-02-18 Thread Emmanuel Hocdet 
Le 18 févr. 2020 à 11:45, Emmanuel Hocdet  a écrit :Can you add a little bit of explanation on how the discovery of theissuer is done in the documentation?okdocumentation updated:

0001-MINOR-ssl-add-issuers-chain-path-directive.patch
Description: Binary data

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

2020-02-18 Thread Emmanuel Hocdet 
Hi William

> Le 14 févr. 2020 à 15:59, William Lallemand  a écrit :
> 
> On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote:
>> Hi,
>> 
>> Is there any hope that this proposal will be considered before HAproxy 2.2?
>> 
>> ++
>> Manu
> 
> Hello,
> 
> I'm ok with the feature itself. I'm still not fond of an
> "auto-discovery" based on the SKID, but I agree that's probably the most
> convenient way of doing it for the user.
> 
great news

> The way it's done we won't be able to change the issuers from the CLI
> easily, but these files don't change too often so that's not a problem
> at the moment.
> 
I agree.

> Can you add a little bit of explanation on how the discovery of the
> issuer is done in the documentation?
> 
ok

> I think we will probably need more information in the "show ssl cert"
> output in the future so the users can debug this kind of feature easily.
> 

Yes. Show the chain-filename would be very helpful.
For that i think a good way would be to keep ckch->chain and ckch->issuer
with value (or NULL) from PEM/, and resolve chain and ocsp_issuer
when needed. « show ssl cert » will be able to find the origin of chain (and 
ocsp_issuer)
without  store a new state. The drawback(?) is that .issuer file will be 
loaded, in every case, if present.
Something like i do for ‘chain’ directive POC: 
https://github.com/ehocdet/haproxy/commits/chain

++
Manu

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

2020-02-14 Thread William Lallemand 
On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote:
> Hi,
> 
> Is there any hope that this proposal will be considered before HAproxy 2.2?
> 
> ++
> Manu

Hello,

I'm ok with the feature itself. I'm still not fond of an
"auto-discovery" based on the SKID, but I agree that's probably the most
convenient way of doing it for the user.

The way it's done we won't be able to change the issuers from the CLI
easily, but these files don't change too often so that's not a problem
at the moment.

Can you add a little bit of explanation on how the discovery of the
issuer is done in the documentation?

I think we will probably need more information in the "show ssl cert"
output in the future so the users can debug this kind of feature easily.

Thanks,
-- 
William Lallemand

Re: [PATCH] MINOR: ssl: add "issuers-chain-path" directive.

2020-02-14 Thread Emmanuel Hocdet 
Hi,

Is there any hope that this proposal will be considered before HAproxy 2.2?

++
Manu


> Le 31 janv. 2020 à 16:06, Emmanuel Hocdet  a écrit :
> 
> 
>> Le 31 janv. 2020 à 12:22, Emmanuel Hocdet  a écrit :
> 
>> 
>> I will send a new patch for « issuers-chain-path » with corrections.
>> 
> 
> 
> 
> <0001-MINOR-ssl-add-issuers-chain-path-directive.patch>