MINOR: ssl: add ssl-skip-self-issued-ca global option

This option activate the feature introduce in commit 16739778: "MINOR: ssl: skip self issued CA in cert chain for ssl_ctx". The patch disable the feature per default.
2020-04-22 11:06:19 +02:00 · 2020-04-22 11:06:19 +02:00 · c3b7e74455
commit c3b7e74455
parent 916d0b523d
2 changed files with 23 additions and 1 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -628,6 +628,7 @@ The following keywords are supported in the "global" section :
   - ssl-default-server-options
   - ssl-dh-param-file
   - ssl-server-verify
+   - ssl-skip-self-issued-ca
   - unix-bind
   - unsetenv
   - 51degrees-data-file
@ -1370,6 +1371,16 @@ ssl-server-verify [none|required]
  servers certificates are not verified. The default is 'required' except if
  forced using cmdline option '-dV'.

+ssl-skip-self-issued-ca
+  Self issued CA, aka x509 root CA, is the enchor for chain validation: as a
+  server is useless to send it, client must have it. Standard configuration
+  need to not include such CA in PEM file. This option allows you to keep such
+  CA in PEM file without sending it to the client. Use case is to provide
+  issuer for ocsp without the need for '.issuer' file and be able to share it
+  with 'issuers-chain-path'. This concerns all certificates without intermediate
+  certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
+  bits does not need it.
+
 stats socket [<address:port>|<path>] [param*]
  Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
  Connections to this socket will return various statistics outputs and even
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -167,6 +167,7 @@ static struct {
 	char *crt_base;             /* base directory path for certificates */
 	char *ca_base;              /* base directory path for CAs and CRLs */
 	char *issuers_chain_path;   /* from "issuers-chain-path" */
+	int  skip_self_issued_ca;

 	int  async;                 /* whether we use ssl async mode */

@ -3823,7 +3824,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 		for (i = 0; i < sk_X509_num(find_chain); i++) {
 			ca = sk_X509_value(find_chain, i);
 			/* skip self issued (Root CA) */
-			if (!X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
+			if (global_ssl.skip_self_issued_ca && !X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
 				continue;
 			/*
 			   SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
@ -10191,6 +10192,15 @@ static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct pr
 	return 0;
 }

+/* parse the "ssl-skip-self-issued-ca" keyword in global section.  */
+static int ssl_parse_skip_self_issued_ca(char **args, int section_type, struct proxy *curpx,
+					 struct proxy *defpx, const char *file, int line,
+					 char **err)
+{
+	global_ssl.skip_self_issued_ca = 1;
+	return 0;
+}
+
 /* "issuers-chain-path" load chain certificate in global */
 static int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err)
 {
@ -12997,6 +13007,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
 #ifndef OPENSSL_NO_ENGINE
 	{ CFG_GLOBAL, "ssl-engine",  ssl_parse_global_ssl_engine },
 #endif
+	{ CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca },
 	{ CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },
 #ifndef OPENSSL_NO_DH
 	{ CFG_GLOBAL, "tune.ssl.default-dh-param", ssl_parse_global_default_dh },