From f8ccf6cceab8b1887749885defb35630228f4de7 Mon Sep 17 00:00:00 2001
From: Markus Makela <markus.makela@mariadb.com>
Date: Tue, 2 Jun 2015 17:00:39 +0300
Subject: [PATCH] Added SSL level configuration to services.

---
 Getting-Started/Configuration-Guide.md | 48 ++++++++++++++++++++++++++
 Reference/MaxScale-and-SSL.md          |  3 +-
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/Getting-Started/Configuration-Guide.md b/Getting-Started/Configuration-Guide.md
index 535eca2cc..e3cc4871b 100644
--- a/Getting-Started/Configuration-Guide.md
+++ b/Getting-Started/Configuration-Guide.md
@@ -326,6 +326,54 @@ Example:
 connection_timeout=300
 ```
 
+### Service and SSL
+
+This section describes configuration parameters for services that control the SSL/TLS encrption method and the various certificate files involved in it. To enable SSL, you must configure the `ssl` parameter with either `enabled` or `required` and provide the three files for `ssl_cert`, `ssl_key` and `ssl_ca_cert`. After this, MySQL connections to this service can be encrypted with SSL.
+
+#### `ssl`
+
+This enables SSL connections to the service. If this parameter is set to either `required` or `enabled` and the three certificate files can be found (these are explained afterwards), then client connections will be encrypted with SSL. If the parameter is `enabled` then both SSL and non-SSL connections can connect to this service. If the parameter is set to `required` then only SSL connections can be used for this service and non-SSL connections will get an error when they try to connect to the service.
+
+#### `ssl_key`
+
+The SSL private key the service should use. This will be the private key that is used as the server side private key during a client-server SSL handshake. This is a required parameter for SSL enabled services.
+
+#### `ssl_cert`
+
+The SSL certificate the service should use. This will be the public certificate that is used as the server side certificate during a client-server SSL handshake. This is a required parameter for SSL enabled services.
+
+#### `ssl_ca_cert`
+
+This is the Certificate Authority file. It will be used to verify that both the client and the server certificates are valid. This is a required parameter for SSL enabled services.
+
+### `ssl_version`
+
+This parameter controls the level of encryption used. Accepted values are:
+ * SSLv2
+ * SSLv3
+ * TLSv10
+ * TLSv11
+ * TLSv12
+ * MAX   
+
+Example SSL enabled service configuration:
+
+```
+[ReadWriteSplitService]
+type=service
+router=readwritesplit
+servers=server1,server2,server3
+user=myuser
+passwd=mypasswd
+ssl=required
+ssl_cert=/home/markus/certs/server-cert.pem
+ssl_key=/home/markus/certs/server-key.pem
+ssl_ca_cert=/home/markus/certs/ca.pem
+ssl_version=TLSv12
+```
+
+This configuration requires all connections to be encryped with SSL. It also specifies that TLSv1.2 should be used as the encryption method. The paths to the server certificate files and the Certificate Authority file are also provided.
+
 ### Server
 
 Server sections are used to define the backend database servers that can be formed into a service. A server may be a member of one or more services within MaxScale. Servers are identified by a server name which is the section name in the configuration file. Servers have a type parameter of server, plus address port and protocol parameters.
diff --git a/Reference/MaxScale-and-SSL.md b/Reference/MaxScale-and-SSL.md
index a4210b0de..ca61d52e2 100644
--- a/Reference/MaxScale-and-SSL.md
+++ b/Reference/MaxScale-and-SSL.md
@@ -5,9 +5,10 @@ MaxScale supports client side SSL connections. Enabling is done on a per service
 ## SSL Options
 
 Here are the options which relate to SSL and certificates.
-Parameter|Values|Description
+Parameter|Values     |Description
 ---------|-----------|--------
 ssl         | disabled, enabled, required |`disable` disables SSL, `enabled` enables SSL for client connections but still allows non-SSL connections and `required` requires SSL from all client connections. With the `required` option, client connections that do not use SSL will be rejected.
 ssl_cert    | <path to file>              |Path to server certificate
 ssl_key     | <path to file>              |Path to server private key
 ssl_ca_cert | <path to file>              |Path to Certificate Authority file
+ssl_version|SSLV2,SSLV3,TLSV10,TLSV11,TLSV12,MAX| The SSL method level,  defaults to highest available encryption level which is TLSv1.2