aboutsummaryrefslogtreecommitdiffstats
path: root/config/haproxy-devel/pkg
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2015-06-20 16:05:29 +0200
committerPiBa-NL <pba_2k3@yahoo.com>2015-06-20 16:05:29 +0200
commit51aa815ed0a53798ef56899daf5fd21bb8ceef81 (patch)
treebbc61f9d7acd08c1dffdc1905a5d26e885ff1551 /config/haproxy-devel/pkg
parent8686fe13f55436b7d2af00b69635009a6cce7666 (diff)
downloadpfsense-packages-51aa815ed0a53798ef56899daf5fd21bb8ceef81.tar.gz
pfsense-packages-51aa815ed0a53798ef56899daf5fd21bb8ceef81.tar.bz2
pfsense-packages-51aa815ed0a53798ef56899daf5fd21bb8ceef81.zip
haproxy-devel, dont send the root CA cert to clients when using ssl-offloading, its not needed.
-cipher example and HSTS textual addition -another try to include lua for haproxy1.6dev package binary
Diffstat (limited to 'config/haproxy-devel/pkg')
-rw-r--r--config/haproxy-devel/pkg/haproxy.inc17
1 files changed, 11 insertions, 6 deletions
diff --git a/config/haproxy-devel/pkg/haproxy.inc b/config/haproxy-devel/pkg/haproxy.inc
index 6e07625f..eceef783 100644
--- a/config/haproxy-devel/pkg/haproxy.inc
+++ b/config/haproxy-devel/pkg/haproxy.inc
@@ -957,18 +957,23 @@ function haproxy_write_certificate_crl($filename, $crlid, $append = false) {
unset($crl);
}
-function haproxy_write_certificate_fullchain($filename, $certid, $append = false) {
+function haproxy_write_certificate_fullchain($filename, $certid, $append = false, $skiproot = true) {
$cert = haproxy_lookup_cert($certid);
$certcontent = base64_decode($cert['crt']);
if (isset($cert['prv']))
$certcontent .= "\r\n".base64_decode($cert['prv']);
- $certchaincontent = ca_chain($cert);
- if ($certchaincontent != "") {
- $certcontent .= "\r\n" . $certchaincontent;
+ $ca = $cert;
+ while(!empty($ca['caref'])) {
+ $ca = lookup_ca($ca['caref']);
+ if ($ca) {
+ if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt'])))
+ break;
+ $certcontent .= "\r\n" . base64_decode($ca['crt']);
+ } else
+ break;
}
- unset($certchaincontent);
$flags = $append ? FILE_APPEND : 0;
file_put_contents($filename, $certcontent, $flags);
unset($certcontent);
@@ -1155,7 +1160,7 @@ function haproxy_writeconf($configpath) {
if ($frontend['sslocsp'] == 'yes') {
if (!empty(haproxy_getocspurl($filename))) {
haproxy_write_certificate_issuer($filename . ".issuer", $frontend['ssloffloadcert']);
- touch($filename . ".ocsp");
+ touch($filename . ".ocsp");//create initial empty file. this will trigger updates, and inform haproxy it 'should' be using ocsp
}
}