From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 4 May 2021 10:22:34 +0000 (+0200)
Subject: DOC: ssl: Add information about crl-file option
X-Git-Tag: v2.4-dev19~85
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=02bd68431b8b4ccf81121806658eb096a148f119;p=thirdparty%2Fhaproxy.git

DOC: ssl: Add information about crl-file option

When using the crl-file option with multiple Certificate Authority
levels in the CA chain, there must be one CRL per CA or the verify
function on the backend side will raise an "unagle to get certificate
CRL" error (error code 3).

This was required by GitHub issue #1201.
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 3130e323af..e01637010b 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13373,7 +13373,8 @@ ciphersuites <ciphersuites>
 crl-file <crlfile>
   This setting is only available when support for OpenSSL was built in. It
   designates a PEM file from which to load certificate revocation list used
-  to verify client's certificate.
+  to verify client's certificate. You need to provide a certificate revocation
+  list for every certificate of your certificate authority chain.
 
 crt <cert>
   This setting is only available when support for OpenSSL was built in. It