Skip to content

Commit d6837aa

Browse files
millertmillert
committed
Document that tls_checkpeer results in a DNS lookup of the IP address.
1 parent bfc344d commit d6837aa

File tree

2 files changed

+14
-4
lines changed

2 files changed

+14
-4
lines changed

docs/sudo_logsrvd.conf.man.in

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
.\"
33
.\" SPDX-License-Identifier: ISC
44
.\"
5-
.\" Copyright (c) 2019-2023 Todd C. Miller <[email protected]>
5+
.\" Copyright (c) 2019-2025 Todd C. Miller <[email protected]>
66
.\"
77
.\" Permission to use, copy, modify, and distribute this software for any
88
.\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
1616
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1717
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1818
.\"
19-
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "March 9, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
19+
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "September 28, 2025" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
2020
.nh
2121
.if n .ad l
2222
.SH "NAME"
@@ -203,6 +203,11 @@ authority, the
203203
\fItls_cacert\fR
204204
setting must be set to a CA bundle that contains the CA certificate
205205
used to generate the client certificate.
206+
To validate the certificate,
207+
\fBsudo_logsrvd\fR
208+
will perform a reverse DNS lookup of the client's IP address.
209+
In order to be considered valid, either the IP address or the
210+
resolved hostname must be present in the client certificate.
206211
The default value is
207212
\fIfalse\fR.
208213
.TP 6n

docs/sudo_logsrvd.conf.mdoc.in

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
.\"
22
.\" SPDX-License-Identifier: ISC
33
.\"
4-
.\" Copyright (c) 2019-2023 Todd C. Miller <[email protected]>
4+
.\" Copyright (c) 2019-2025 Todd C. Miller <[email protected]>
55
.\"
66
.\" Permission to use, copy, modify, and distribute this software for any
77
.\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
1515
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1616
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1717
.\"
18-
.Dd March 9, 2024
18+
.Dd September 28, 2025
1919
.Dt SUDO_LOGSRVD.CONF @mansectform@
2020
.Os Sudo @PACKAGE_VERSION@
2121
.Sh NAME
@@ -183,6 +183,11 @@ authority, the
183183
.Em tls_cacert
184184
setting must be set to a CA bundle that contains the CA certificate
185185
used to generate the client certificate.
186+
To validate the certificate,
187+
.Nm sudo_logsrvd
188+
will perform a reverse DNS lookup of the client's IP address.
189+
In order to be considered valid, either the IP address or the
190+
resolved hostname must be present in the client certificate.
186191
The default value is
187192
.Em false .
188193
.It tls_ciphers_v12 = string

0 commit comments

Comments
 (0)