Re: Feature request: disable CA/distinguished names.

2017-07-28 Thread Emmanuel Hocdet
Hi Willy thanks! > Le 28 juil. 2017 à 15:23, Willy TARREAU a écrit : > > Hi Manu, > > thanks you! > > I've just applied a minor change below : > > - int verify:2; /* verify method (set of SSL_VERIFY_* flags) > */ > + int verify:3; /* verify method (set of S

Re: Feature request: disable CA/distinguished names.

2017-07-28 Thread Willy TARREAU
Hi Manu, thanks you! I've just applied a minor change below : - int verify:2; /* verify method (set of SSL_VERIFY_* flags) */ + int verify:3; /* verify method (set of SSL_VERIFY_* flags) */ I've put 3 bits for verify instead of 2 because while apparently

Re: Feature request: disable CA/distinguished names.

2017-07-28 Thread Emmanuel Hocdet
Hi Emeric Thanks for the review patch with ‘{}’ include ++ Manu 0001-MINOR-ssl-add-no-ca-names-parameter-for-bind.patch Description: Binary data > Le 27 juil. 2017 à 18:47, Emeric Brun a écrit : > > Hi Manu, > > > Could you add a block '{ }' or move the comment on the comment on follow

Re: Feature request: disable CA/distinguished names.

2017-07-27 Thread Willy TARREAU
On Thu, Jul 27, 2017 at 06:47:38PM +0200, Emeric Brun wrote: > A second point, i don't know which is the current policy about the keyword > prefix "no-" in configuration statements, but > we usually take care using this word. > > Willy, would you clarify that point? In fact we were very careful

Re: Feature request: disable CA/distinguished names.

2017-07-27 Thread Emeric Brun
Hi Manu, Could you add a block '{ }' or move the comment on the comment on following lines: + if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) + /* set CA names fo client cert request, function returns void */ +

Re: Feature request: disable CA/distinguished names.

2017-07-27 Thread Emmanuel Hocdet
dev will be a good step. Emeric or Willy must find time to review and consider the merge. ++ Manu > Best regards, > > Bas > > -Original Message- > From: Emmanuel Hocdet [mailto:m...@gandi.net] > Sent: maandag 10 juli 2017 17:46 > To: Wolvers, Bas > Cc: haproxy@

RE: Feature request: disable CA/distinguished names.

2017-07-11 Thread Wolvers, Bas
ormilux.org Subject: Re: Feature request: disable CA/distinguished names. Hi Bas, > Le 10 juil. 2017 à 17:05, Wolvers, Bas a écrit : > > Hi Emmanuel, > > I finally found time to test your patch. > > It works, but you can't seem to turn it off. > no-ca-names seems to b

Re: Feature request: disable CA/distinguished names.

2017-07-10 Thread Emmanuel Hocdet
Hi Bas, > Le 10 juil. 2017 à 17:05, Wolvers, Bas a écrit : > > Hi Emmanuel, > > I finally found time to test your patch. > > It works, but you can't seem to turn it off. > no-ca-names seems to be active regardless of the option in the config file. > oops i fail the double negation. fix patc

RE: Feature request: disable CA/distinguished names.

2017-07-10 Thread Wolvers, Bas
it limited unfortunately. Best regards, Bas -Original Message- From: Emmanuel Hocdet [mailto:m...@gandi.net] Sent: dinsdag 13 juni 2017 15:39 To: Wolvers, Bas Cc: haproxy@formilux.org Subject: Re: Feature request: disable CA/distinguished names. > Le 13 juin 2017 à 14:13, Wolvers, Bas a écri

Re: Feature request: disable CA/distinguished names.

2017-06-13 Thread Emmanuel Hocdet
> From: Emmanuel Hocdet [mailto:m...@gandi.net] > Sent: maandag 12 juni 2017 17:58 > To: Wolvers, Bas > Cc: haproxy@formilux.org > Subject: Re: Feature request: disable CA/distinguished names. > > Thanks for the explanation. > I think a parameter like ‘no-ca-names’ c

RE: Feature request: disable CA/distinguished names.

2017-06-13 Thread Wolvers, Bas
That would do nicely. Is there something useful I can do to help? -Original Message- From: Emmanuel Hocdet [mailto:m...@gandi.net] Sent: maandag 12 juni 2017 17:58 To: Wolvers, Bas Cc: haproxy@formilux.org Subject: Re: Feature request: disable CA/distinguished names. Thanks for the

Re: Feature request: disable CA/distinguished names.

2017-06-12 Thread Emmanuel Hocdet
big. > With CA names turned off I tested with 1 CA's loaded without problems. > > -Original Message- > From: Emmanuel Hocdet [mailto:m...@gandi.net] > Sent: maandag 12 juni 2017 14:22 > To: Wolvers, Bas > Cc: haproxy@formilux.org > Subject: Re: Feature request:

RE: Feature request: disable CA/distinguished names.

2017-06-12 Thread Wolvers, Bas
er hello is too big. With CA names turned off I tested with 1 CA's loaded without problems. -Original Message- From: Emmanuel Hocdet [mailto:m...@gandi.net] Sent: maandag 12 juni 2017 14:22 To: Wolvers, Bas Cc: haproxy@formilux.org Subject: Re: Feature request: disable CA/distingui

Re: Feature request: disable CA/distinguished names.

2017-06-12 Thread Emmanuel Hocdet
I don't understand. CA certs are loaded by haproxy when needed: i.e if 'ca-file’ parameter is used and ‘verify’ is set to ‘optional’ or ‘required’. > Le 12 juin 2017 à 13:00, Wolvers, Bas a écrit : > > For setups with large amounts of CA certs it can be a really good idea to > turn off CA name

Feature request: disable CA/distinguished names.

2017-06-12 Thread Wolvers, Bas
For setups with large amounts of CA certs it can be a really good idea to turn off CA names in the key exchange. As far as I understand it is optional to send CA names, and it works fine with these turned off. This is also called distinguished names. To do this a single line should not be execut