make sure client CA and auth type are set if CA is explicitly specified. (#2825)

* make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README
2025-10-27 16:24:19 -04:00 · 2019-05-31 09:30:15 -07:00
parent 5565ca1c03
commit a6d9adbf4a
6 changed files with 160 additions and 1 deletions
--- a/plugin/tls/README.md
+++ b/plugin/tls/README.md
@@ -24,6 +24,16 @@ tls CERT KEY [CA]

 Parameter CA is optional. If not set, system CAs can be used to verify the client certificate

+~~~ txt
+tls CERT KEY [CA] {
+    client_auth nocert|request|require|verify_if_given|require_and_verify
+}
+~~~
+
+If client_auth option is specified, it controls the client authentication policy.
+The option value corresponds to the [ClientAuthType values of the Go tls package](https://golang.org/pkg/crypto/tls/#ClientAuthType): NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.
+The default is "nocert".  Note that it makes no sense to specify parameter CA unless this option is set to verify_if_given or require_and_verify.
+
 ## Examples

 Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the