Open jamielinux opened 1 year ago
Hi @jamielinux !
That option is a bit confusing with respect to defaults. When tls.enabled
is used on components that use an HTTP client (i.e. they make HTTP requests) it defaults to true
. When used on components that use an HTTP server, it defaults to false
as otherwise it would require connecting clients to present a HTTP client certificate (less common).
Which component in particular are you interested in the default for?
Hi @jszwedko thanks for the reply! I did indeed get confused.
I'm using the vector sinks on various hosts to send data to a vector source on a centralized host, with certs on both sides (a client cert for the sink, and server cert for the source, all self-signed).
I just noticed that the default for tls.verify_certificate
is false
for the vector source but true
for the vector sink. That matches with your explanation. So that clears that up! I think I got my sinks and sources mixed up in my head.
Unless I misunderstand, TLS options for the vector source are only relevant for incoming connections(?). If that's correct, I do still think the text on the vector source documentation for tls.verify_certificate
could be improved (and by extension, the documentation for other sources too):
Enables certificate verification
, should it say Enables client certificate verification
?Relevant for both incoming and outgoing connections
, should it say Relevant for incoming connections
?Do NOT set this to false
warning be removed?Hi @jamielinux !
I agree with all of those docs updates. I'll leave this issue open to track that.
A note for the community
Problem
Many of the sources have the
tls.verify_certificate
option. These options usually have this line in their documentation:I find it odd that this warning is here, and yet the default is
false
.Should
tls.verify_certificate
default totrue
(which would be the safest default)?Configuration
No response
Version
0.27.0
Debug Output
No response
Example Data
No response
Additional Context
No response
References
No response