Mercurial > prosody-wiki
annotate mod_s2s_auth_fingerprint.wiki @ 430:1cc57962610c
add page about mod_component_roundrobin
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 21 Feb 2014 17:28:27 +0100 |
| parents | fdff0de712a7 |
| children | 171663daa144 |
| rev | line source |
|---|---|
| 330 | 1 #summary Fingerprint based s2s authentication |
| 414 | 2 #labels Stage-Alpha, Type-S2SAuth |
| 330 | 3 |
| 4 = Introduction = | |
| 5 | |
| 6 This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint. | |
|
399
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
7 This is useful if you have many connections to servers that use self-signed certificates. |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
8 |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
9 = Details = |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
10 |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
11 In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed. |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
12 If it doesn't match, the status of the standard PKIX and identity validation is preserved. |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
13 Thus it is easy to switch from a self-signed certificate to a CA-signed certificate. |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
14 |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
15 The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning. |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
16 Servers not listed in the configuration are not affected. |
| 330 | 17 |
| 18 = Configuration = | |
| 19 | |
|
419
fdff0de712a7
mod_s2s_auth_fingerprint: Describe how to change the digest. (thanks hardfalcon)
Kim Alvefur <zash@zash.se>
parents:
414
diff
changeset
|
20 After installing and enabling this module, you can put fingerprints of remote servers in your config like this: |
| 330 | 21 |
| 22 {{{ | |
|
419
fdff0de712a7
mod_s2s_auth_fingerprint: Describe how to change the digest. (thanks hardfalcon)
Kim Alvefur <zash@zash.se>
parents:
414
diff
changeset
|
23 s2s_auth_fingerprint_digest = "sha1" -- This is the default. Other options are "sha256" and "sha512" |
| 330 | 24 s2s_trusted_fingerprints = { |
|
363
4a39ef28e2d9
slight change and fix syntax error in example config
Kim Alvefur <zash@zash.se>
parents:
330
diff
changeset
|
25 ["jabber.org"] = "11:C2:3D:87:3F:95:F8:13:F8:CA:81:33:71:36:A7:00:E0:01:95:ED"; |
| 330 | 26 ["matthewwild.co.uk"] = { |
| 27 "FD:7F:B2:B9:4C:C4:CB:E2:E7:48:FB:0D:98:11:C7:D8:4D:2A:62:AA"; | |
| 28 "CF:F3:EC:43:A9:D5:D1:4D:D4:57:09:55:52:BC:5D:73:06:1A:A1:A0"; | |
| 29 }; | |
| 30 } | |
| 31 }}} | |
| 32 | |
|
399
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
33 To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}} |
|
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
34 |
| 330 | 35 = Compatibility = |
| 36 | |
| 37 ||trunk||Works|| | |
| 38 ||0.9||Works|| | |
|
399
c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents:
363
diff
changeset
|
39 ||0.8||Doesn't work|| |
| 330 | 40 |