summaryrefslogtreecommitdiff
path: root/enc.conf.in
diff options
context:
space:
mode:
Diffstat (limited to 'enc.conf.in')
-rw-r--r--enc.conf.in13
1 files changed, 13 insertions, 0 deletions
diff --git a/enc.conf.in b/enc.conf.in
index 17b480c1..980cfb2e 100644
--- a/enc.conf.in
+++ b/enc.conf.in
@@ -91,6 +91,19 @@
# the server too for mutual authentication. Combine encryption=none
# with auth=required for authenticated but unencrypted flows.
#
+# Issuer Pinning (cacert=):
+# -------------------------
+#
+# cacert=<path> Path to a CA certificate that must be part of the
+# peer certificate's verified chain
+#
+# The peer certificate is always validated against the trusted CA
+# store; cacert= further restricts which CA must have issued it: a
+# certificate, if presented, must chain through the pinned CA. Whether
+# a certificate is mandatory is controlled by auth= alone: under
+# auth=optional a peer may still connect without one. The pinned CA
+# must load when the config is read, otherwise flow allocation fails.
+#
# KEM Mode (kem_mode=):
# ---------------------
#