From bdccdb644e6b45a86ca31af022b247e82326c43f Mon Sep 17 00:00:00 2001
From: Laurent Demailly <ldemailly@gmail.com>
Date: Thu, 1 Feb 2018 18:20:16 -0800
Subject: [PATCH 1/2] clarification on mTLS verification with curl

from some confusion by user on slack
---
 _docs/tasks/security/mutual-tls.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/_docs/tasks/security/mutual-tls.md b/_docs/tasks/security/mutual-tls.md
index 0e7adb3505b3..3c1379d0fc1d 100644
--- a/_docs/tasks/security/mutual-tls.md
+++ b/_docs/tasks/security/mutual-tls.md
@@ -96,6 +96,8 @@ There are several steps:
    ```
    ```bash
    ...
+   * error fetching CN from cert:The requested data were not available.
+   ...
    < HTTP/1.1 200 OK
    < content-type: text/html; charset=utf-8
    < content-length: 1867
@@ -111,11 +113,15 @@ Note that Istio uses [Kubernetes service account](https://kubernetes.io/docs/tas
 as service identity, which offers stronger security than service name 
 (refer [here]({{home}}/docs/concepts/security/mutual-tls.html#identity) for more information). 
 Thus the certificates used in Istio do not have service name, which is the information that curl needs to verify
-server identity. As a result, we use curl option '-k' to prevent the curl client from verifying service identity
-in server's (i.e., productpage) certificate. 
+server identity. As a result, we use curl option '-k' to prevent the curl client from aborting when failing to
+find and verify the service identity
+in the server's (i.e., productpage) certificate. 
+
 Please check secure naming [here]({{home}}/docs/concepts/security/mutual-tls.html#workflow) for more information
 about how the client verifies the server's identity in Istio.
 
+What we are demonstrating and verifying above is that the server accepts the connection from the client. Try not giving the client `--key` and `--cert` and observe you are not allowed to connect and you do not get an HTTP 200.
+
 ## Further reading
 
 * Learn more about the design principles behind Istio's automatic mTLS authentication

From d56cfaf62b80c17048e6d0900b6c46170290e2f1 Mon Sep 17 00:00:00 2001
From: Laurent Demailly <ldemailly@gmail.com>
Date: Fri, 2 Feb 2018 11:05:55 -0800
Subject: [PATCH 2/2] update ptal

---
 _docs/tasks/security/mutual-tls.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/_docs/tasks/security/mutual-tls.md b/_docs/tasks/security/mutual-tls.md
index 3c1379d0fc1d..e5ee6023220c 100644
--- a/_docs/tasks/security/mutual-tls.md
+++ b/_docs/tasks/security/mutual-tls.md
@@ -114,8 +114,7 @@ as service identity, which offers stronger security than service name
 (refer [here]({{home}}/docs/concepts/security/mutual-tls.html#identity) for more information). 
 Thus the certificates used in Istio do not have service name, which is the information that curl needs to verify
 server identity. As a result, we use curl option '-k' to prevent the curl client from aborting when failing to
-find and verify the service identity
-in the server's (i.e., productpage) certificate. 
+find and verify the server name (i.e., productpage.ns.svc.cluster.local) in the certificate provided by the server. 
 
 Please check secure naming [here]({{home}}/docs/concepts/security/mutual-tls.html#workflow) for more information
 about how the client verifies the server's identity in Istio.