summaryrefslogtreecommitdiffstats
path: root/releasenotes/notes
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-04-26 12:36:10 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-03 12:46:14 +0300
commit82ff1acf035d277dd2e7b9d7fc6e060ab2415144 (patch)
treed8a799b2d00e610b14649e0f074838428684dba0 /releasenotes/notes
parente5b3b671eb82abeb8f4bae9bbf7df1d923439656 (diff)
Internal TLS: Use specific CA file for haproxy
Instead of using the CA bundle, this sets HAProxy to use a specific file for validating the certificates of the services it's proxying. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
Diffstat (limited to 'releasenotes/notes')
-rw-r--r--releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml6
1 files changed, 6 insertions, 0 deletions
diff --git a/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
new file mode 100644
index 00000000..8847b22b
--- /dev/null
+++ b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - Adds the InternalTLSCAFile parameter, which defines which CA file should be
+ used by the internal services to verify that the peer's certificate is
+ trusted. This is applicable if internal TLS is enabled. Currently, it
+ defaults to using the CA file for FreeIPA, which is the default CA.