From 899f0088aa2fcb5688efd8788fa64054dd3ec89c Mon Sep 17 00:00:00 2001
From: Shyukri Shyukriev <shyukri.shyukriev@crate.io>
Date: Fri, 7 Nov 2025 09:56:39 +0200
Subject: [PATCH 1/2] Add documentation for client_allowed_sans.

Signed-off-by: Shyukri Shyukriev <shyukri.shyukriev@crate.io>
---
 CHANGELOG.md  | 2 +-
 docs/https.md | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 44610e0547..ffa75a1de7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 * [CHANGE] ...
 * [FEATURE] ...
-* [ENHANCEMENT] ...
+* [ENHANCEMENT] Add documentation for `client_allowed_sans`. #4564
 * [BUGFIX] ...
 
 ## 0.29.0 / 2025-11-01
diff --git a/docs/https.md b/docs/https.md
index 4625423a46..6fa3ee8115 100644
--- a/docs/https.md
+++ b/docs/https.md
@@ -44,6 +44,13 @@ tls_server_config:
   # CA certificate for client certificate authentication to the server.
   [ client_ca_file: <filename> ]
 
+  # Verify that the client certificate has a Subject Alternate Name (SAN)
+  # which is an exact match to an entry in this list, else terminate the
+  # connection. SAN match can be one or multiple of the following: DNS,
+  # IP, e-mail, or URI address from https://pkg.go.dev/crypto/x509#Certificate.
+  [ client_allowed_sans:
+    [ - <string> ] ]
+
   # Minimum TLS version that is acceptable.
   [ min_version: <string> | default = "TLS12" ]
 

From 672350b35b6971483e44d973918f6334d2745c42 Mon Sep 17 00:00:00 2001
From: Ben Kochie <superq@gmail.com>
Date: Fri, 7 Nov 2025 16:52:28 +0100
Subject: [PATCH 2/2] Update CHANGELOG.md

Signed-off-by: Ben Kochie <superq@gmail.com>
---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ffa75a1de7..44610e0547 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 * [CHANGE] ...
 * [FEATURE] ...
-* [ENHANCEMENT] Add documentation for `client_allowed_sans`. #4564
+* [ENHANCEMENT] ...
 * [BUGFIX] ...
 
 ## 0.29.0 / 2025-11-01