diff --git a/website/pages/docs/security/security-models/core.mdx b/website/pages/docs/security/security-models/core.mdx index d09c983dd3..76c0010601 100644 --- a/website/pages/docs/security/security-models/core.mdx +++ b/website/pages/docs/security/security-models/core.mdx @@ -94,7 +94,7 @@ environment and adapt these configurations accordingly. should almost always be set to true to require mTLS to set up the client for HTTP or gRPC health checks. This was added in Consul 1.0.1. - - [`verify_server_hostname`](/docs/agent/options#verify_server_hostname) - By default this is false, and should be + - [`verify_server_hostname`](/docs/agent/options#verify_server_hostname) - By default this is false, and should be set to true to require that the TLS certificate presented by the servers matches `server..` hostname for outgoing TLS connections. The default configuration does not verify the hostname of the certificate, only that it is signed by a trusted CA. This setting is critical to prevent a @@ -105,6 +105,16 @@ environment and adapt these configurations accordingly. [CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) for more details. This is fixed in 1.4.1. + - [`auto_encrypt`](/docs/agent/options#auto_encrypt) - Enables automated TLS certificate distribution for client + agent RPC communication using the Connect CA. Using this configuration a [`ca_file`](/docs/agent/options#ca_file) + and ACL token would still need to be distributed to client agents. + + - [`allow_tls`](/docs/agent/options#allow_tls) - By default this is false, and should be set to true on server + agents to allow certificates to be automatically generated and distributed from the Connect CA to client agents. + + - [`tls`](/docs/agent/options#tls) - By default this false, and should be set to true on client agents to + automatically request a client TLS certificate from the server's Connect CA. + **Example Server Agent TLS Configuration** ```hcl