From db69cd6f659726cce0602f58322e35527f0fe985 Mon Sep 17 00:00:00 2001
From: Ranjandas <thejranjan@gmail.com>
Date: Fri, 13 Jan 2023 14:55:36 +1100
Subject: [PATCH] Update TG Docs with SAN match option when using SNI (#15971)

When using SNI in Terminating Gateway, Consul configures envoy to
have strict SAN matching. This requires all external services to
have SANs in their certificates and not having it will throw
CERTIFICATE_VERIFY_FAILED error.
---
 .../docs/connect/config-entries/terminating-gateway.mdx        | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/connect/config-entries/terminating-gateway.mdx b/website/content/docs/connect/config-entries/terminating-gateway.mdx
index b30c89bfa7..f8e7b678ee 100644
--- a/website/content/docs/connect/config-entries/terminating-gateway.mdx
+++ b/website/content/docs/connect/config-entries/terminating-gateway.mdx
@@ -679,7 +679,8 @@ spec:
           name: 'SNI',
           type: 'string: ""',
           description:
-            'An optional hostname or domain name to specify during the TLS handshake.',
+          `An optional hostname or domain name to specify during the TLS handshake. This option will also configure [strict SAN matching](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-certificatevalidationcontext-match-typed-subject-alt-names), which requires
+            the external services to have certificates with SANs, not having which will result in \`CERTIFICATE_VERIFY_FAILED\` error.`,
         },
       ],
     },