|
|
|
|
@ -94,7 +94,7 @@ environment and adapt these configurations accordingly.
|
|
|
|
|
should almost always be set to true to require mTLS to set up the client for HTTP or gRPC health checks. This was |
|
|
|
|
added in Consul 1.0.1. |
|
|
|
|
|
|
|
|
|
- [`verify_server_hostname`](/docs/agent/options#verify_server_hostname) - By default this is false, and should be |
|
|
|
|
- [`verify_server_hostname`](/docs/agent/options#verify_server_hostname) - By default this is false, and should be |
|
|
|
|
set to true to require that the TLS certificate presented by the servers matches |
|
|
|
|
`server.<datacenter>.<domain>` hostname for outgoing TLS connections. The default configuration does not verify the |
|
|
|
|
hostname of the certificate, only that it is signed by a trusted CA. This setting is critical to prevent a |
|
|
|
|
@ -105,6 +105,16 @@ environment and adapt these configurations accordingly.
|
|
|
|
|
[CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) for more details. This is fixed |
|
|
|
|
in 1.4.1. |
|
|
|
|
|
|
|
|
|
- [`auto_encrypt`](/docs/agent/options#auto_encrypt) - Enables automated TLS certificate distribution for client |
|
|
|
|
agent RPC communication using the Connect CA. Using this configuration a [`ca_file`](/docs/agent/options#ca_file) |
|
|
|
|
and ACL token would still need to be distributed to client agents. |
|
|
|
|
|
|
|
|
|
- [`allow_tls`](/docs/agent/options#allow_tls) - By default this is false, and should be set to true on server |
|
|
|
|
agents to allow certificates to be automatically generated and distributed from the Connect CA to client agents. |
|
|
|
|
|
|
|
|
|
- [`tls`](/docs/agent/options#tls) - By default this false, and should be set to true on client agents to |
|
|
|
|
automatically request a client TLS certificate from the server's Connect CA. |
|
|
|
|
|
|
|
|
|
**Example Server Agent TLS Configuration** |
|
|
|
|
|
|
|
|
|
```hcl |
|
|
|
|
|
Kent 'picat' Gruber
4 years ago