That would do nicely. Is there something useful I can do to help?
-----Original Message----- From: Emmanuel Hocdet [mailto:m...@gandi.net] Sent: maandag 12 juni 2017 17:58 To: Wolvers, Bas Cc: haproxy@formilux.org Subject: Re: Feature request: disable CA/distinguished names. Thanks for the explanation. I think a parameter like ‘no-ca-names’ could do the job, or you have a better name? Manu > Le 12 juin 2017 à 14:32, Wolvers, Bas <bas.wolv...@alliander.com> a écrit : > > If you connect to a haproxy TLS server with CA names on (verify optional or > required) part of the server hello message is the list of CA's that are > accepted. > The client can use this list to decide which certificate to send as its > client certificate. > > The problem arises when this list if long, the server hello message gets > really long as well. > If the list if very long the server hello becomes prohibitively big, making > client connections fail. > > So disabling the list of CA names in the server hello message reduces the > message size. > Lots of clients don’t need to be told which certificate to send, and this > list is optional since TLS1.1 if memory serves me well. > > I'm running a system which (for good reason) runs on self-signed > certificates, so technically I have a CA for every client. > With more than 30 CA's I had client that have problems connecting because the > server hello is too big. > With CA names turned off I tested with 10000 CA's loaded without problems. > > -----Original Message----- > From: Emmanuel Hocdet [mailto:m...@gandi.net] > Sent: maandag 12 juni 2017 14:22 > To: Wolvers, Bas > Cc: haproxy@formilux.org > Subject: Re: Feature request: disable CA/distinguished names. > > I don't understand. > CA certs are loaded by haproxy when needed: i.e if 'ca-file’ parameter is > used and ‘verify’ is set to ‘optional’ or ‘required’. > >> Le 12 juin 2017 à 13:00, Wolvers, Bas <bas.wolv...@alliander.com> a écrit : >> >> For setups with large amounts of CA certs it can be a really good idea to >> turn off CA names in the key exchange. >> As far as I understand it is optional to send CA names, and it works fine >> with these turned off. >> This is also called distinguished names. >> >> To do this a single line should not be executed. >> SSL_CTX_set_client_CA_list(ctx, >> SSL_load_client_CA_file(ca_file)); >> (in ssl_sock.c, function ssl_sock_prepare_ctx). >> >> I currently disable this with a LD_PRELOAD shim, but I think it would be a >> good idea to make this an ssl option, similar to force_tls12 etc. >> >> /* >> This shim disables 2 openssl functions. >> The effect of this is that no client CA names, also known as >> distingushed names, are loaded this reduces ssl traffic with large >> numbers of CA certificates. >> >> This is made to be used with HAPROXY since it does not have a >> setting to disable this in the configuration. >> */ >> #include <stdio.h> >> >> void SSL_CTX_set_client_CA_list(void *one, void *two) { >> printf("SSL_CTX_set_client_CA_list called but disabled by shim.\n"); >> return; } void *SSL_load_client_CA_file(void *one) { >> printf("SSL_load_client_CA_file called but disabled by shim.\n"); >> return 0; } >> >