Teardown tunnel automatically if peer's certificate expired (#370)

2021-10-20 21:23:33 +03:00
parent e8b08e49e6
commit 32e2619323
5 changed files with 167 additions and 19 deletions
--- a/examples/config.yml
+++ b/examples/config.yml
@ -7,9 +7,11 @@ pki:
  ca: /etc/nebula/ca.crt
  cert: /etc/nebula/host.crt
  key: /etc/nebula/host.key
-  #blocklist is a list of certificate fingerprints that we will refuse to talk to
+  # blocklist is a list of certificate fingerprints that we will refuse to talk to
  #blocklist:
  #  - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72
+  # disconnect_invalid is a toggle to force a client to be disconnected if the certificate is expired or invalid.
+  #disconnect_invalid: false

 # The static host map defines a set of hosts with fixed IP addresses on the internet (or any network).
 # A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.