From 1c52c24a9325204bfc31285a649b07ea62cef5a2 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 19 Aug 2021 09:15:12 -0600
Subject: [PATCH] log_server_peer_cert and log_server_peer_key are not required
 by default. They are only required if sudo_logsrvd has tls_checkpeer enabled.

---
 doc/sudoers.man.in  | 22 ++++++++++++++++------
 doc/sudoers.mdoc.in | 22 ++++++++++++++++------
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 25904fb57..b1569a273 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -4160,9 +4160,14 @@ log_server_peer_cert
 The path to the
 \fBsudo\fR
 client's certificate file, in PEM format.
-This setting is required when
-\fIlog_servers\fR
-is set and the remote log server is secured with TLS.
+This setting is required when the remote log server is secured
+with TLS and client certificate validation is enabled.
+For
+\fBsudo_logsrvd\fR,
+client certificate validation is controlled by the
+\fItls_checkpeer\fR
+option, which defaults to
+\fIfalse\fR.
 .sp
 This setting is only supported by version 1.9.0 or higher.
 .TP 18n
@@ -4170,9 +4175,14 @@ log_server_peer_key
 The path to the
 \fBsudo\fR
 client's private key file, in PEM format.
-This setting is required when
-\fIlog_servers\fR
-is set and the remote log server is secured with TLS.
+This setting is required when the remote log server is secured
+with TLS and client certificate validation is enabled.
+For
+\fBsudo_logsrvd\fR,
+client certificate validation is controlled by the
+\fItls_checkpeer\fR
+option, which defaults to
+\fIfalse\fR.
 .sp
 This setting is only supported by version 1.9.0 or higher.
 .TP 18n
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index f4444302e..69dbdf912 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -3914,18 +3914,28 @@ This setting is only supported by version 1.9.0 or higher.
 The path to the
 .Nm sudo
 client's certificate file, in PEM format.
-This setting is required when
-.Em log_servers
-is set and the remote log server is secured with TLS.
+This setting is required when the remote log server is secured
+with TLS and client certificate validation is enabled.
+For
+.Nm sudo_logsrvd ,
+client certificate validation is controlled by the
+.Em tls_checkpeer
+option, which defaults to
+.Em false .
 .Pp
 This setting is only supported by version 1.9.0 or higher.
 .It log_server_peer_key
 The path to the
 .Nm sudo
 client's private key file, in PEM format.
-This setting is required when
-.Em log_servers
-is set and the remote log server is secured with TLS.
+This setting is required when the remote log server is secured
+with TLS and client certificate validation is enabled.
+For
+.Nm sudo_logsrvd ,
+client certificate validation is controlled by the
+.Em tls_checkpeer
+option, which defaults to
+.Em false .
 .Pp
 This setting is only supported by version 1.9.0 or higher.
 .It mailsub