diff options
| author | Pavel Březina <pbrezina@redhat.com> | 2017-02-28 11:47:32 +0100 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-03-30 19:08:00 +0200 |
| commit | 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 (patch) | |
| tree | c559db1c94f83a924d78e22bd7f2d9ddacded5da /src/config/cfg_rules.ini | |
| parent | 06744bf5a47d5971a338281c8243b11cf72dac90 (diff) | |
| download | sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.tar.gz sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.tar.xz sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.zip | |
secrets: allow to configure certificate check
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.
This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key
Resolves:
https://pagure.io/SSSD/sssd/issue/3192
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/config/cfg_rules.ini')
| -rw-r--r-- | src/config/cfg_rules.ini | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 1a749db75..e47ff3324 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -265,6 +265,12 @@ option = auth_header_value option = forward_headers option = username option = password +option = verify_peer +option = verify_host +option = capath +option = cacert +option = cert +option = key # KCM responder [rule/allowed_kcm_options] |