From 1639d6c02b30a4effddb702070d10227c34ffa41 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Thu, 26 May 2022 00:18:46 +0200 Subject: [PATCH] DOC: configuration: add a warning for @system-ca on bind Add a warning on @system-ca on the bind line so people don't use it this way. --- doc/configuration.txt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index d9fd06dbd..c289523f6 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -13872,6 +13872,13 @@ ca-file CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and .crl" available in the directory, files starting with a dot are ignored. + Warning: The "@system-ca" parameter could be used in place of the cafile + in order to use the trusted CAs of your system, like its done with the server + directive. But you mustn't use it unless you know what you are doing. + Configuring it this way basically mean that the bind will accept any client + certificate generated from one of the CA present on your system, which is + extremely unsecure. + ca-ignore-err [all|,...] This setting is only available when support for OpenSSL was built in. Sets a comma separated list of errorIDs to ignore during verify at depth > 0. -- 2.47.3