Mercurial > prosody-modules

diff mod_firewall/README.markdown @ 4127:e9e10ec1b91c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported This provides a balance between security and usability. SNI is supported in Prosody trunk and in Prosody 0.11 from commit 30d3f6f85eb8 (scheduled for 0.11.7).
author Matthew Wild <mwild1@gmail.com>
date Tue, 15 Sep 2020 11:49:55 +0100
parents 68ceb7e0cfe6
children 87daef9ed4e7
line wrap: on
line diff
--- a/mod_firewall/README.markdown	Tue Sep 15 11:45:09 2020 +0100
+++ b/mod_firewall/README.markdown	Tue Sep 15 11:49:55 2020 +0100
@@ -158,6 +158,10 @@
   ttl       Seconds to cache the list for. After expiry, it will be refetched. Default 3600 (1 hour).
   pattern   Optional pattern used to extract list entries from the response. Default is to treat each line as a single item.
   hash      Optional hash to be applied to items before looking them up in the list, e.g. sha1 or sha256.
+  checkcert Whether to verify HTTPS certificates. May be "always", "never" or "when-sni". Default "when-sni".
+
+The "when-sni" default disables certificate verification when Prosody's HTTP client API doesn't support SNI,
+as in Prosody 0.11.6 and earlier.
 
 #### CHECK LIST