From 8e9fe563fa6f169cf053aae135f33306e4186242 Mon Sep 17 00:00:00 2001
From: Ranjandas <thejranjan@gmail.com>
Date: Fri, 13 Jan 2023 14:55:36 +1100
Subject: [PATCH] Update TG Docs with SAN match option when using SNI (#15971)

When using SNI in Terminating Gateway, Consul configures envoy to
have strict SAN matching. This requires all external services to
have SANs in their certificates and not having it will throw
CERTIFICATE_VERIFY_FAILED error.
---
 .../docs/connect/config-entries/terminating-gateway.mdx        | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/connect/config-entries/terminating-gateway.mdx b/website/content/docs/connect/config-entries/terminating-gateway.mdx
index b30c89bfa..f8e7b678e 100644
--- a/website/content/docs/connect/config-entries/terminating-gateway.mdx
+++ b/website/content/docs/connect/config-entries/terminating-gateway.mdx
@@ -679,7 +679,8 @@ spec:
           name: 'SNI',
           type: 'string: ""',
           description:
-            'An optional hostname or domain name to specify during the TLS handshake.',
+          `An optional hostname or domain name to specify during the TLS handshake. This option will also configure [strict SAN matching](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-certificatevalidationcontext-match-typed-subject-alt-names), which requires
+            the external services to have certificates with SANs, not having which will result in \`CERTIFICATE_VERIFY_FAILED\` error.`,
         },
       ],
     },