website: document the new TLS changes
This commit is contained in:
parent
4c93091f45
commit
97c87f4e4d
|
@ -64,7 +64,8 @@ using OpenSSL. Note: client certificates must have
|
||||||
for client and server authentication.
|
for client and server authentication.
|
||||||
|
|
||||||
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
|
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
|
||||||
These modes are controlled by the [`verify_outgoing`](/docs/agent/options.html#verify_outgoing)
|
These modes are controlled by the [`verify_outgoing`](/docs/agent/options.html#verify_outgoing),
|
||||||
|
[`verify_server_hostname`](/docs/agent/options.html#verify_server_hostname),
|
||||||
and [`verify_incoming`](/docs/agent/options.html#verify_incoming) options, respectively.
|
and [`verify_incoming`](/docs/agent/options.html#verify_incoming) options, respectively.
|
||||||
|
|
||||||
If [`verify_outgoing`](/docs/agent/options.html#verify_outgoing) is set, agents verify the
|
If [`verify_outgoing`](/docs/agent/options.html#verify_outgoing) is set, agents verify the
|
||||||
|
@ -74,6 +75,14 @@ by the certificate authority present on all agents, set via the agent's
|
||||||
appropriate key pair set using [`cert_file`](/docs/agent/options.html#cert_file) and
|
appropriate key pair set using [`cert_file`](/docs/agent/options.html#cert_file) and
|
||||||
[`key_file`](/docs/agent/options.html#key_file).
|
[`key_file`](/docs/agent/options.html#key_file).
|
||||||
|
|
||||||
|
If [`verify_server_hostname`](/docs/agent/options.html#verify_server_hostname) is set, then
|
||||||
|
outgoing connections perform hostname verification. All servers must have a certificate
|
||||||
|
valid for "server.\<datacenter\>.\<domain\>" or the client will reject the handshake. This is
|
||||||
|
a new configuration as of 0.5.1, and it is used to prevent a compromised client from being
|
||||||
|
able to restart in server mode and perform a MITM attack. New deployments should set this
|
||||||
|
to true, and generate the proper certificates, but this is defaulted to false to avoid breaking
|
||||||
|
existing deployments.
|
||||||
|
|
||||||
If [`verify_incoming`](/docs/agent/options.html#verify_incoming) is set, the servers verify the
|
If [`verify_incoming`](/docs/agent/options.html#verify_incoming) is set, the servers verify the
|
||||||
authenticity of all incoming connections. All clients must have a valid key pair set using
|
authenticity of all incoming connections. All clients must have a valid key pair set using
|
||||||
[`cert_file`](/docs/agent/options.html#cert_file) and
|
[`cert_file`](/docs/agent/options.html#cert_file) and
|
||||||
|
|
|
@ -584,6 +584,14 @@ definitions support being updated during a reload.
|
||||||
will not make use of TLS for outgoing connections. This applies to clients and servers
|
will not make use of TLS for outgoing connections. This applies to clients and servers
|
||||||
as both will make outgoing connections.
|
as both will make outgoing connections.
|
||||||
|
|
||||||
|
* <a name="verify_server_hostname"></a><a href="#verify_server_hostname">`verify_server_hostname`</a> - If set to
|
||||||
|
true, Consul verifies for all outgoing connections that the TLS certificate presented by the servers
|
||||||
|
matches "server.<datacenter>.<domain>" hostname. This implies `verify_outgoing`.
|
||||||
|
By default, this is false, and Consul does not verify the hostname of the certificate, only
|
||||||
|
that it is signed by a trusted CA. This setting is important to prevent a compromised
|
||||||
|
client from being restarted as a server, and thus being able to perform a MITM attack
|
||||||
|
or to be added as a Raft peer. This is new in 0.5.1.
|
||||||
|
|
||||||
* <a name="watches"></a><a href="#watches">`watches`</a> - Watches is a list of watch
|
* <a name="watches"></a><a href="#watches">`watches`</a> - Watches is a list of watch
|
||||||
specifications which allow an external process to be automatically invoked when a
|
specifications which allow an external process to be automatically invoked when a
|
||||||
particular data view is updated. See the
|
particular data view is updated. See the
|
||||||
|
|
Loading…
Reference in New Issue