82ff1acf03
Instead of using the CA bundle, this sets HAProxy to use a specific file for validating the certificates of the services it's proxying. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
7 lines
315 B
YAML
7 lines
315 B
YAML
---
|
|
features:
|
|
- Adds the InternalTLSCAFile parameter, which defines which CA file should be
|
|
used by the internal services to verify that the peer's certificate is
|
|
trusted. This is applicable if internal TLS is enabled. Currently, it
|
|
defaults to using the CA file for FreeIPA, which is the default CA.
|