tripleo-heat-templates/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
Juan Antonio Osorio Robles 82ff1acf03 Internal TLS: Use specific CA file for haproxy
Instead of using the CA bundle, this sets HAProxy to use a specific file
for validating the certificates of the services it's proxying. This
helps in two ways:

* Improves performance since validation will check only one certificate.
* Improves security since we're only the certificates signed by one CA
  are valid, instead of any certificate that the system trusts (which
  could include potentially compromised public certs).

Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
2017-05-03 12:46:14 +03:00

7 lines
315 B
YAML

---
features:
- Adds the InternalTLSCAFile parameter, which defines which CA file should be
used by the internal services to verify that the peer's certificate is
trusted. This is applicable if internal TLS is enabled. Currently, it
defaults to using the CA file for FreeIPA, which is the default CA.