Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 1a073b4650d423c24db42cfb0539c15dc5cf300a^! / .
commit1a073b4650d423c24db42cfb0539c15dc5cf300a[log] [tgz]
authorEmeric Brun <ebrun@exceliance.fr>Fri Sep 28 17:07:34 2012 +0200
committerWilly Tarreau <w@1wt.eu>Tue Oct 02 08:32:37 2012 +0200
tree829b4ec89c2e53010980ce60a1527d410fdf1c76
parentd94b3fe98f92a5f95a078a8f53e24bd0a02eff02 [diff]
DOC: ssl: add 'verify', 'cafile' and 'crlfile' statements on 'bind'

diff --git a/doc/configuration.txt b/doc/configuration.txt
index ccbd40b..afcd558 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -6742,6 +6742,11 @@
   the named curve (RFC 4492) used to generate ECDH ephemeral keys and makes
   ECDHE cipher suites usable.
 
+cafile <cafile>
+  This setting is only available when support for OpenSSL was built in. It
+  designates a PEM file from which to load CA certificates used to verify
+  client's certificate.
+
 ciphers <ciphers>
   This setting is only available when support for OpenSSL was built in. It sets
   the string describing the list of cipher algorithms ("cipher suite") that are
@@ -6749,6 +6754,11 @@
   in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
   such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
 
+crlfile <cafile>
+  This setting is only available when support for OpenSSL was built in. It
+  designates a PEM file from which to load certificate revocation list used
+  to verify client's certificate.
+
 crt <cert>
   This setting is only available when support for OpenSSL was built in.
   It designates a PEM file from which to load both a certificate and the
@@ -6919,6 +6929,15 @@
   setting except that the user name is used instead of its uid. This setting is
   ignored by non UNIX sockets.
 
+verify [none|optional|required]
+  This setting is only available when support for OpenSSL was built in. If set
+  to 'none', client certificate is not requested. This is the default. In other
+  cases, a client certificate is requested. If the client does not provide a
+  certificate after the request and if 'verify' is set to 'required', then the
+  handshake is aborted, while it would have succeeded if set to 'optional'. The
+  certificate provided by the client is always verified using CAs from 'cafile'
+  and optional CRLs from 'crlfile'. On verify failure the handshake is aborted,
+  regardless of the 'verify' option.
 
 5.2. Server and default-server options
 ------------------------------------