Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refs #12401 - More detailed description of ssl options #248

Merged
merged 1 commit into from
Sep 15, 2017
Merged

Refs #12401 - More detailed description of ssl options #248

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 10 additions & 5 deletions config/cli_config.template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,23 +34,28 @@

# SSL auth options
#:ssl:
# Path to a ca file
# Path to a CA file in PEM format, mutually exclusive with :ssl_ca_path:
#:ssl_ca_file: '/path/to/ca_certificate.pem'

# Path to a direcotry with ca file
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be worth mentioning that the directory must follow some rules as mentioned in OpenSSL docs. Took me some time to figure out:

The directory should contain one certificate or CRL per file in PEM format, with a file name of the form hash.N
 for a certificate, or hash.rN for a CRL. The hash is the value returned by the X509_NAME_hash function applied
 to the subject name for certificates or issuer name for CRLs. The hash can also be obtained via the -hash option 
of the x509 or crl commands.

https://www.openssl.org/docs/man1.1.0/crypto/X509_LOOKUP_hash_dir.html see Hashed Directory Method there.
Shorter explanation is in https://stackoverflow.com/questions/38529918/ssl-ca-path-with-iosocketssl-doesnt-use-certs-in-directory/38539719

# Path to a direcotry with CA files, mutually exclusive with :ssl_ca_file:
# The directory should contain one certificate per file in PEM format, with a file name of the form hash.N
# The hash can be obtained via the -hash option of the openssl x509 command. See the OpenSSL documentation
# for more information.
#:ssl_ca_path: '/path/to/ca'

# Turn SSL verification on/off
#:verify_ssl: true

# Path to a client certificate
# Path to a client certificate, DER- or PEM-encoded certificates are supported
#:ssl_client_cert: '/path/to/cert.crt'

# Path to a client key
#:ssl_client_key: '/path/to/cert.key'

# Enable standard authentication in addition to client certificate authentication
# Enable standard authentication in addition to client certificate authentication.
# Switch to false if you want to rely on certificates only.
#:ssl_with_basic_auth: true

# local CA cert store path
# Local CA cert store path where hammer stores certificates fetched from the server.
# Certs from the local storage are used only when neither :ssl_ca_file: nor :ssl_ca_path: is cofigured.
#:local_ca_store_path: '~/.hammer/certs'