# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1612646108 -3600
# Node ID 0e3f5f70a51d2bd13d6608dd2737a433cfea0369
# Parent  e83284d4d5c2bc4d266991e17a6ef82d8d69a7f0
mod_auth_ccert/README: Add certificate purpose conifg to example

Thanks debacle

By default Prosody validates all client certificates as if they were
server certificates, for historical reasons, from a time when you
couldn't get certificates with the client purpose.

diff -r e83284d4d5c2 -r 0e3f5f70a51d mod_auth_ccert/README.markdown
--- a/mod_auth_ccert/README.markdown	Sat Feb 06 21:34:25 2021 +0100
+++ b/mod_auth_ccert/README.markdown	Sat Feb 06 22:15:08 2021 +0100
@@ -23,6 +23,10 @@
         cafile = "/path/to/your/ca.pem";
         capath = false; -- Disable capath inherited from built-in default
         verify = {"peer"; "client_once"}; -- Ask for client certificate
+        verifyext = {
+            -- Don't validate client certs as if they were server certs
+            lsec_ignore_purpose = false
+        }
     }