From 2be83fdca5c440d45b8cd92bda9315757463d6c7 Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Tue, 1 Aug 2023 19:50:17 +0200
Subject: [feature] Allow users to skip http client tls verification for
 testing purposes (with appropriately loud warnings) (#2052)

---
 CONTRIBUTING.md | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'CONTRIBUTING.md')

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 853bf6145..6738a99dd 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -437,17 +437,21 @@ Although this test *is* part of the CI/CD testing process, you probably won't ne
 
 #### Federation
 
-By using the support for loading TLS files from disk it is possible to have two local instances with TLS to allow for (manually) testing federation.
+By using the support for loading TLS files from disk it is possible to have two or more local instances with TLS to allow for (manually) testing federation.
 
 You'll need to set the following configuration options:
-* `GTS_TLS_CERTIFICATE_CHAIN`: poiting to a PEM-encoded certificate chain including the public certificate
-* `GTS_TLS_CERTIFICATE_KEY`: pointing to a PEM-encoded private key
+
+- `GTS_TLS_CERTIFICATE_CHAIN`: poiting to a PEM-encoded certificate chain including the public certificate.
+- `GTS_TLS_CERTIFICATE_KEY`: pointing to a PEM-encoded private key.
 
 Additionally, for the Go HTTP client to recognise certificates issued by a custom CA as valid, you'll need to set one of:
-* `SSL_CERT_FILE`: pointing to the public key of your custom CA
-* `SSL_CERT_DIR`: a `:`-separated list of directories to load CA certificates from
 
-You'll additionally need functioning DNS for your two instance names which you can achieve through entries in `/etc/hosts` or by running a local DNS server like [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html).
+- `SSL_CERT_FILE`: pointing to the public key of your custom CA.
+- `SSL_CERT_DIR`: a `:`-separated list of directories to load CA certificates from.
+
+The above `SSL_CERT` variables work on Unix-like systems only, excluding Mac. See https://pkg.go.dev/crypto/x509#SystemCertPool. If you are running your tests on an architecture that doesn't support setting the above variables, you can instead disable TLS certificate verification for the HTTP client entirely by setting `http-client.tls-insecure-skip-verify` to `true` in the config.yaml file.
+
+You'll additionally need functioning DNS for your two instance names, which you can achieve through entries in `/etc/hosts` or by running a local DNS server like [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html).
 
 ### Updating Swagger docs
 
-- 
cgit v1.3