diff --git a/doc/configuration.txt b/doc/configuration.txt index d9fd06dbd..c289523f6 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -13872,6 +13872,13 @@ ca-file CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and .crl" available in the directory, files starting with a dot are ignored. + Warning: The "@system-ca" parameter could be used in place of the cafile + in order to use the trusted CAs of your system, like its done with the server + directive. But you mustn't use it unless you know what you are doing. + Configuring it this way basically mean that the bind will accept any client + certificate generated from one of the CA present on your system, which is + extremely unsecure. + ca-ignore-err [all|,...] This setting is only available when support for OpenSSL was built in. Sets a comma separated list of errorIDs to ignore during verify at depth > 0.