|
|
@ -62,15 +62,15 @@ using OpenSSL. Note: client certificates must have
|
|
|
|
[Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled
|
|
|
|
[Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled
|
|
|
|
for client and server authentication.
|
|
|
|
for client and server authentication.
|
|
|
|
|
|
|
|
|
|
|
|
When enabling TLS for Consul, we first must decide what we wish to verify. TLS can be used
|
|
|
|
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients. These modes are
|
|
|
|
to verify the authenticity of the servers or verify the authenticity of clients. These modes are
|
|
|
|
controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html), respectively.
|
|
|
|
controlled by the `verify_incoming` and `verify_outgoing` [options](/docs/agent/options.html), respectively.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing
|
|
|
|
If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing
|
|
|
|
connections. Server nodes must present a certificate signed by the `ca_file` setting that in turn must
|
|
|
|
connections. Server nodes must present a certificate signed by the certificate authority
|
|
|
|
be present on all agents. All server nodes must have an appropriate key pair set using `cert_file` and `key_file`.
|
|
|
|
present on all agents, set via the agent's `ca_file` option. All server nodes must have an
|
|
|
|
|
|
|
|
appropriate key pair set using `cert_file` and `key_file`.
|
|
|
|
|
|
|
|
|
|
|
|
If `verify_incoming` is set, then the servers verify the authenticity of all incoming
|
|
|
|
If `verify_incoming` is set, the servers verify the authenticity of all incoming
|
|
|
|
connections. Servers will also disallow any non-TLS connections. All clients must have
|
|
|
|
connections. Servers will also disallow any non-TLS connections. All clients must have
|
|
|
|
a valid key pair set using `cert_file` and `key_file`. To force clients to use TLS,
|
|
|
|
a valid key pair set using `cert_file` and `key_file`. To force clients to use TLS,
|
|
|
|
`verify_outgoing` must also be set.
|
|
|
|
`verify_outgoing` must also be set.
|
|
|
|