luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Update TG Docs with SAN match option when using SNI (#15971) 

When using SNI in Terminating Gateway, Consul configures envoy to
have strict SAN matching. This requires all external services to
have SANs in their certificates and not having it will throw
CERTIFICATE_VERIFY_FAILED error.
This commit is contained in:
Ranjandas 2023-01-13 14:55:36 +11:00 committed by GitHub
parent 9420fd229b
commit 8e9fe563fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
website/content/docs/connect/config-entries/terminating-gateway.mdx
View File

@ -679,7 +679,8 @@ spec:
name: 'SNI',
type: 'string: ""',
description:
'An optional hostname or domain name to specify during the TLS handshake.',
`An optional hostname or domain name to specify during the TLS handshake. This option will also configure [strict SAN matching](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-certificatevalidationcontext-match-typed-subject-alt-names), which requires
the external services to have certificates with SANs, not having which will result in \`CERTIFICATE_VERIFY_FAILED\` error.`,
},
],
},