annotate mod_s2s_auth_fingerprint.wiki @ 435:fae8b0661edf

Add info about _xmpp-server IN TLSA
author Kim Alvefur <zash@zash.se>
date Mon, 10 Mar 2014 16:08:19 +0100
parents fdff0de712a7
children 171663daa144
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
330
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 #summary Fingerprint based s2s authentication
414
dc20cb1bb874 add some labels
Kim Alvefur <zash@zash.se>
parents: 399
diff changeset
2 #labels Stage-Alpha, Type-S2SAuth
330
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 = Introduction =
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint.
399
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
7 This is useful if you have many connections to servers that use self-signed certificates.
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
8
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
9 = Details =
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
10
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
11 In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed.
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
12 If it doesn't match, the status of the standard PKIX and identity validation is preserved.
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
13 Thus it is easy to switch from a self-signed certificate to a CA-signed certificate.
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
14
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
15 The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning.
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
16 Servers not listed in the configuration are not affected.
330
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 = Configuration =
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19
419
fdff0de712a7 mod_s2s_auth_fingerprint: Describe how to change the digest. (thanks hardfalcon)
Kim Alvefur <zash@zash.se>
parents: 414
diff changeset
20 After installing and enabling this module, you can put fingerprints of remote servers in your config like this:
330
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 {{{
419
fdff0de712a7 mod_s2s_auth_fingerprint: Describe how to change the digest. (thanks hardfalcon)
Kim Alvefur <zash@zash.se>
parents: 414
diff changeset
23 s2s_auth_fingerprint_digest = "sha1" -- This is the default. Other options are "sha256" and "sha512"
330
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 s2s_trusted_fingerprints = {
363
4a39ef28e2d9 slight change and fix syntax error in example config
Kim Alvefur <zash@zash.se>
parents: 330
diff changeset
25 ["jabber.org"] = "11:C2:3D:87:3F:95:F8:13:F8:CA:81:33:71:36:A7:00:E0:01:95:ED";
330
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 ["matthewwild.co.uk"] = {
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 "FD:7F:B2:B9:4C:C4:CB:E2:E7:48:FB:0D:98:11:C7:D8:4D:2A:62:AA";
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 "CF:F3:EC:43:A9:D5:D1:4D:D4:57:09:55:52:BC:5D:73:06:1A:A1:A0";
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 };
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 }
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 }}}
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
399
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
33 To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}}
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
34
330
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 = Compatibility =
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 ||trunk||Works||
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 ||0.9||Works||
399
c35cf2a46b78 mod_s2s_auth_fingerprint: Describe cert pinning mode
Kim Alvefur <zash@zash.se>
parents: 363
diff changeset
39 ||0.8||Doesn't work||
330
533a06d9b6db added mod_s2s_auth_fingerprint.wiki
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40