diff options
| author | Pavel Březina <pbrezina@redhat.com> | 2017-02-28 11:47:32 +0100 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-03-30 19:08:00 +0200 |
| commit | 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 (patch) | |
| tree | c559db1c94f83a924d78e22bd7f2d9ddacded5da /src/man/sssd-secrets.5.xml | |
| parent | 06744bf5a47d5971a338281c8243b11cf72dac90 (diff) | |
| download | sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.tar.gz sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.tar.xz sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.zip | |
secrets: allow to configure certificate check
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.
This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key
Resolves:
https://pagure.io/SSSD/sssd/issue/3192
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/man/sssd-secrets.5.xml')
| -rw-r--r-- | src/man/sssd-secrets.5.xml | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml index 80e9c4059..44a86c3fb 100644 --- a/src/man/sssd-secrets.5.xml +++ b/src/man/sssd-secrets.5.xml @@ -273,6 +273,82 @@ systemctl enable sssd-secrets.service </para> </listitem> </varlistentry> + <varlistentry> + <term>verify_peer (boolean)</term> + <listitem> + <para> + Whether peer's certificate should be verified and valid + if HTTPS protocol is used with the proxy provider. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>verify_host (boolean)</term> + <listitem> + <para> + Whether peer's hostname must match with hostname in + its certificate if HTTPS protocol is used with the + proxy provider. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>capath (string)</term> + <listitem> + <para> + Path to directory containing stored certificate authority + certificates. System default path is used if this option is + not set. + </para> + <para> + Default: not set + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>cacert (string)</term> + <listitem> + <para> + Path to file containing server's certificate authority + certificate. If this option is not set then the CA's + certificate is looked up in <quote>capath</quote>. + </para> + <para> + Default: not set + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>cert (string)</term> + <listitem> + <para> + Path to file containing client's certificate if required + by the server. This file may also contain private key or + the private key may be in separate file set with + <quote>key</quote>. + </para> + <para> + Default: not set + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>key (string)</term> + <listitem> + <para> + Path to file containing client's private key. + </para> + <para> + Default: not set + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> <refsect1 id='restapi'> |