You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/sre/tls/configuring-tls.md
+103Lines changed: 103 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -549,6 +549,109 @@ The `<server>` section is used for incoming client connections on the secure Kee
549
549
The certificate paths above use `/etc/clickhouse-keeper/certs/` which is the typical path for standalone Keeper installations. If you installed Keeper using a different path, adjust accordingly. The certificates themselves are the same ones created in [step 2](#2-create-tls-certificates).
550
550
:::
551
551
552
+
## OpenSSL verification modes and certificate handlers {#openssl-verification-modes}
553
+
554
+
The `<openSSL>` configuration supports several options for `<verificationMode>` and `<invalidCertificateHandler>` that control how ClickHouse validates TLS certificates. These settings apply to clickhouse-server, clickhouse-client, and standalone ClickHouse Keeper.
555
+
556
+
### Verification modes {#verification-modes}
557
+
558
+
Set `<verificationMode>` inside the `<server>` or `<client>` section of `<openSSL>`:
559
+
560
+
| Mode | Description |
561
+
|------|-------------|
562
+
| `none` | No certificate verification. The connection is encrypted but the peer's identity is not checked. Only use this for testing. |
563
+
|`relaxed`| Verifies the peer certificate if one is presented, but does not fail if no certificate is provided. |
564
+
|`once`| On the server side, verifies the client certificate on the initial handshake only and skips renegotiation. On the client side, behaves the same as `relaxed`. |
565
+
|`strict`| Requires and fully verifies the peer certificate. The connection fails if the certificate is missing, expired, or not signed by a trusted CA. Recommended for production. |
Set `<invalidCertificateHandler>` inside the `<server>` or `<client>` section of `<openSSL>`. This handler determines what happens when certificate verification fails. On the server side, it controls the response to invalid client certificates. On the client side, it controls the response to invalid server certificates.
570
+
571
+
| Handler | Description |
572
+
|---------|-------------|
573
+
|`RejectCertificateHandler`| Rejects the connection if the certificate is invalid. This is the default and recommended setting. |
574
+
|`AcceptCertificateHandler`| Accepts the connection even if the certificate is invalid. Only use this for testing. |
Disabling certificate verification removes TLS identity checks and exposes connections to man-in-the-middle attacks. Only use this configuration in isolated development or testing environments.
580
+
:::
581
+
582
+
To skip certificate verification entirely (for example, when using self-signed certificates in a test environment), set`verificationMode` to `none` and use `AcceptCertificateHandler`.
583
+
584
+
For `clickhouse-client`, you can also use the `--accept-invalid-certificate` CLI flag, which applies both settings automatically.
**clickhouse-server** (`config.xml` or a file in`config.d/`). The `<server>` section still requires certificate and key paths because the server must present its own certificate to clients, even when it isn't verifying theirs:
This article focused on getting a ClickHouse environment configured with TLS. The settings will differ for different requirements in production environments; for example, certificate verification levels, protocols, ciphers, etc. But you should now have a good understanding of the steps involved in configuring and implementing secure connections.
![locadex-agent[bot]](https://avatars.githubusercontent.com/in/1436158?v=4&size=40){kind=avatar}
0 commit comments