Skip to content

Commit

Permalink
Add docs for TLS close link on certificate expiration (#86)
Browse files Browse the repository at this point in the history
* Add docs for TLS close link on certificate expiration

* Fix typo
  • Loading branch information
oteffahi authored Nov 22, 2024
1 parent 48a1e7b commit 9784cd1
Showing 1 changed file with 53 additions and 0 deletions.
53 changes: 53 additions & 0 deletions content/docs/manual/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,59 @@ Again, the field `enable_mtls` needs to be set to `true` and we must provide the

---

## Close on certificate expiration

Starting with Zenoh v1.0.3, TLS and QUIC links can be closed when the remote certificate chain expires: the configured local instance will monitor the expiration time of the first expiring certificate in the remote instance's certificate chain, and will disconnect the link when said time is reached.

This behavior can be enabled via the zenoh config file, by setting the field `close_link_on_expiration` to `true`. This is valid for both TLS clients and servers.

### Client configuration

Below is an example config for a TLS client with certificate expiration monitoring. `mTLS`-related config fields can also be added if required.

```json
{
"mode": "client",
"connect": {
"endpoints": ["tls/localhost:7447"]
},
"transport": {
"link": {
"tls": {
"root_ca_certificate": "/home/user/server/minica.pem",
"close_link_on_expiration": true
}
}
}
}
```

### Listener configuration

Note that certificate expiration can only be monitored by a TLS listener when `mTLS` is enabled, since without `mTLS` a client does not need certificates to connect. Below is an example config for a router acting as TLS server with certificate expiration monitoring.

```json
{
"mode": "router",
"listen": {
"endpoints": ["tls/localhost:7447"]
},
"transport": {
"link": {
"tls": {
"root_ca_certificate": "/home/user/client/minica.pem",
"listen_private_key": "/home/user/server/localhost/key.pem",
"listen_certificate": "/home/user/server/localhost/cert.pem",
"enable_mtls": true,
"close_link_on_expiration": true
}
}
}
}
```

---

## Testing the TLS transport

Let's assume a scenario with one Zenoh router and two clients connected to it: one publisher and one subscriber.
Expand Down

0 comments on commit 9784cd1

Please sign in to comment.