From: Francis Dupont <fdupont@isc.org>
Date: Wed, 1 Jun 2022 13:07:15 +0000 (+0200)
Subject: [#1706] Added require-client-certs doc
X-Git-Tag: Kea-2.1.7~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93d540007aac40c37633fd2f99a2ef8b4e41f336;p=thirdparty%2Fkea.git

[#1706] Added require-client-certs doc
---

diff --git a/doc/sphinx/arm/hooks-ha.rst b/doc/sphinx/arm/hooks-ha.rst
index 66909d3bd3..7e77a7003f 100644
--- a/doc/sphinx/arm/hooks-ha.rst
+++ b/doc/sphinx/arm/hooks-ha.rst
@@ -221,12 +221,21 @@ HTTPS for a particular peer when it is enabled at the global level.
 
 As the High Availability hook library is an HTTPS client, there is no
 ``cert-required`` parameter in this hook configuration.
-This parameter can be set in Control Agent to require and verify client certificate
-in Client-Server communication. It does not affect communication
-between HA peers.
+This parameter can be set in Control Agent to require and verify
+client certificate in Client-Server communication. It does not affect
+communication between HA peers at the client side, see below for
+the server side.
 
-Currently using HTTPS in HA setup requires use of Control Agent on all peers.
-(See :ref:`tls` for Control Agent TLS configuration).
+Before Kea 2.2.0 using HTTPS in HA setup requires use of Control Agent
+on all peers.  (See :ref:`tls` for Control Agent TLS configuration).
+
+Since Kea 2.2.0 the HTTPS server side is supported:
+
+- the peer entry for the server name is used for the TLS setting.
+
+- the new ``require-client-certs`` specifies if client certificates
+  are required and verified, i.e. like ``cert-required``. It defaults
+  to true and is a HA config (vs peer config) parameter.
 
 Following is an example of HA server pair and Control Agent
 configuration for Hot-Standby with TLS.