From 82ff1acf035d277dd2e7b9d7fc6e060ab2415144 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 26 Apr 2017 12:36:10 +0300
Subject: Internal TLS: Use specific CA file for haproxy

Instead of using the CA bundle, this sets HAProxy to use a specific file
for validating the certificates of the services it's proxying. This
helps in two ways:

* Improves performance since validation will check only one certificate.
* Improves security since we're only the certificates signed by one CA
  are valid, instead of any certificate that the system trusts (which
  could include potentially compromised public certs).

Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
---
 .../notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml  | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml

(limited to 'releasenotes')

diff --git a/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
new file mode 100644
index 00000000..8847b22b
--- /dev/null
+++ b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - Adds the InternalTLSCAFile parameter, which defines which CA file should be
+    used by the internal services to verify that the peer's certificate is
+    trusted. This is applicable if internal TLS is enabled. Currently, it
+    defaults to using the CA file for FreeIPA, which is the default CA.
-- 
cgit 1.2.3-korg