mtls certification verification updates and added CRL info #335
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive certificate revocation checking capabilities to Harper's mTLS authentication system. The changes enhance security by allowing certificates to be verified against Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) to ensure revoked certificates cannot be used for authentication.
- Added detailed certificate verification documentation with CRL and OCSP support
- Updated mTLS authentication documentation to reference the new certificate verification features
- Enhanced configuration documentation with comprehensive certificate verification settings
- Restructured security documentation index to better organize authentication and certificate management topics
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
docs/developers/security/mtls-auth.md |
Added certificate revocation checking section with basic configuration example |
docs/developers/security/index.md |
Restructured navigation to separate authentication, certificate management, and access control |
docs/developers/security/certificate-verification.md |
New comprehensive documentation covering CRL/OCSP verification, configuration, troubleshooting, and best practices |
docs/developers/security/certificate-management.md |
Added certificate revocation checking section explaining CRL and OCSP methods |
docs/deployments/configuration.md |
Updated HTTP and replication configuration sections with detailed certificate verification settings |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
docs/deployments/configuration.md
Outdated
| This can be enabled to require client certificates (mTLS) for all incoming HTTP connections. If enabled, any connection that doesn't provide an authorized certificate will be rejected/closed. By default, this is disabled, and authentication can take place with mTLS _or_ standard credential authentication. | ||
|
|
||
| `certificateVerification` - _Type_: boolean | object; _Default_: true | ||
| **Note:** MQTT has its own `mqtt.network.mtls.required` setting. Replication always requires mTLS (cannot be disabled). |
There was a problem hiding this comment.
Secure (wss with a securePort) replication always requires mTLS (non-secure replication can be done by specifying IP addresses).
There was a problem hiding this comment.
Shoot. Right. Good catch. That's confusing and not thorough.
There was a problem hiding this comment.
Updated. LMK what you think.
… replication auth handling
No description provided.