From 6491f6a3c92f69690c6320bf74c83a7632744172 Mon Sep 17 00:00:00 2001 From: yacovm Date: Mon, 17 Aug 2020 22:24:22 +0300 Subject: [PATCH] Fix and improve discovery TLS authentication comments in document Change-Id: I9a39ab88244438ccfb8ce97c235c45ec1c421419 Signed-off-by: yacovm (cherry picked from commit ea7ab2d247c4211963db0ab72c9d2674523cccbe) --- docs/source/discovery-cli.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/source/discovery-cli.md b/docs/source/discovery-cli.md index 698a16adc0c..d06da58eb52 100644 --- a/docs/source/discovery-cli.md +++ b/docs/source/discovery-cli.md @@ -87,12 +87,17 @@ signerconfig: When the peer runs with TLS enabled, the discovery service on the peer requires the client to connect to it with mutual TLS, which means it -needs to supply a TLS certificate. The peer is configured by default to -request (but not to verify) client TLS certificates, so supplying a TLS -certificate isn't needed (unless the peer's `tls.clientAuthRequired` is -set to `true`). +expects the client to authenticate using a TLS certificate. -When the discovery CLI's config file has a certificate path for +However, the peer is configured by default to +request (and verify if given, but not require) client TLS certificates. +Therefore, unless the peer's `tls.clientAuthRequired` is +set to `true` (in which case it mandates client-side TLS authentication), +TLS connections can be established to the peer but will be rejected in the +discovery application layer. To that end, the discovery CLI provides a +TLS certificate on its own if the user doesn't explicitly set one. + +More concretely, when the discovery CLI's config file has a certificate path for `peercacertpath`, but the `certpath` and `keypath` aren't configured as in the above - the discovery CLI generates a self-signed TLS certificate and uses this to connect to the peer.