mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-23 23:01:24 +02:00
Code Issues Projects Releases Wiki Activity

DOC: remove the comment saying that SSL certs are not checked on the server side

Browse Source 
Server certificate check was added in 1.5-dev13 but the comment on the "ssl"
keyword was not removed, leading to confusion about when to use it.
This commit is contained in:
Willy Tarreau 2013-06-25 07:56:20 +02:00
parent 67db8df12b
commit 44f6539e47
1 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
doc/configuration.txt
View File

@ -8070,14 +8070,13 @@ source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Supported in default-server: No Supported in default-server: No
ssl ssl
This option enables SSL ciphering on outgoing connections to the server. At This option enables SSL ciphering on outgoing connections to the server. It
the moment, server certificates are not checked, so this is prone to man in is critical to verify server certificates using "verify" when using SSL to
the middle attacks. The real intended use is to permit SSL communication connect to servers, otherwise the communication is prone to trivial man in
with software which cannot work in other modes over networks that would the-middle attacks rendering SSL useless. When this option is used, health
otherwise be considered safe enough for clear text communications. When this checks are automatically sent in SSL too unless there is a "port" or an
option is used, health checks are automatically sent in SSL too unless there "addr" directive indicating the check should be sent to a different location.
is a "port" or an "addr" directive indicating the check should be sent to a See the "check-ssl" optino to force SSL health checks.
different location. See the "check-ssl" optino to force SSL health checks.
Supported in default-server: No Supported in default-server: No
@ -8095,7 +8094,9 @@ verify [none|required]
to 'none', server certificate is not verified. This is the default. In the to 'none', server certificate is not verified. This is the default. In the
other case, The certificate provided by the server is verified using CAs from other case, The certificate provided by the server is verified using CAs from
'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake 'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
is aborted. is aborted. It is critically important to verify server certificates when
using SSL to connect to servers, otherwise the communication is prone to
trivial man-in-the-middle attacks rendering SSL totally useless.
Supported in default-server: No Supported in default-server: No