Commit 5c775254 authored by Petr Špaček's avatar Petr Špaček

tls_client: fix CA authentication examples in documentation

parent 236df989
......@@ -63,6 +63,18 @@ To test this feature you need to either :ref:`configure Knot Resolver as DNS-ove
When multiple servers are specified, the one with the lowest round-trip time is used.
CA+hostname authentication
Traditional PKI authentication requires server to present certificate with specified hostname, which is issued by one of trusted CAs. Example policy is:
.. code-block:: lua
{'2001:DB8::d0c', hostname='', ca_file='/etc/knot-resolver/tlsca.crt'}})
- `hostname` must exactly match hostname in server's certificate, i.e. in most cases it must not contain trailing dot (``).
- `ca_file` must be path to CA certificate (or certificate bundle) in `PEM format`_.
TLS Examples
......@@ -82,7 +94,7 @@ TLS Examples
policy.TLS_FORWARD({ -- please note that { here starts list of servers
{'', pin_sha256='Wg=='},
-- server must present certificate issued by specified CA and hostname must match
{'2001:DB8::d0c', hostname='res.example.', ca_file='/etc/knot-resolver/tlsca.crt'}
{'2001:DB8::d0c', hostname='', ca_file='/etc/knot-resolver/tlsca.crt'}
.. _policy_examples:
......@@ -207,6 +219,7 @@ This module is enabled by default because it implements mandatory :rfc:`6761` lo
.. _`Aho-Corasick`:
.. _`@jgrahamc`:
.. _RPZ:
.. _`PEM format`:
.. _`Pro DNS and BIND`:
.. _`Jan-Piet Mens's post`:
.. _`Transport Layer Security`:
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment