Mercurial > prosody-wiki
comparison mod_s2s_auth_fingerprint.wiki @ 451:171663daa144
mod_s2s_auth_fingerprint: remove info about pinning, this is the default now
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 27 Apr 2014 03:39:53 +0200 |
| parents | fdff0de712a7 |
| children |
comparison
equal
deleted
inserted
replaced
| 450:042161223488 | 451:171663daa144 |
|---|---|
| 1 #summary Fingerprint based s2s authentication | 1 #summary Fingerprint based s2s authentication |
| 2 #labels Stage-Alpha, Type-S2SAuth | 2 #labels Stage-Alpha, Type-S2SAuth |
| 3 | 3 |
| 4 = Introduction = | 4 = Introduction = |
| 5 | 5 |
| 6 This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint. | 6 This module allows you to manually pin certificate fingerprints of remote servers. |
| 7 This is useful if you have many connections to servers that use self-signed certificates. | |
| 8 | 7 |
| 9 = Details = | 8 = Details = |
| 10 | 9 |
| 11 In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed. | |
| 12 If it doesn't match, the status of the standard PKIX and identity validation is preserved. | |
| 13 Thus it is easy to switch from a self-signed certificate to a CA-signed certificate. | |
| 14 | |
| 15 The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning. | |
| 16 Servers not listed in the configuration are not affected. | 10 Servers not listed in the configuration are not affected. |
| 17 | 11 |
| 18 = Configuration = | 12 = Configuration = |
| 19 | 13 |
| 20 After installing and enabling this module, you can put fingerprints of remote servers in your config like this: | 14 After installing and enabling this module, you can put fingerprints of remote servers in your config like this: |
| 26 ["matthewwild.co.uk"] = { | 20 ["matthewwild.co.uk"] = { |
| 27 "FD:7F:B2:B9:4C:C4:CB:E2:E7:48:FB:0D:98:11:C7:D8:4D:2A:62:AA"; | 21 "FD:7F:B2:B9:4C:C4:CB:E2:E7:48:FB:0D:98:11:C7:D8:4D:2A:62:AA"; |
| 28 "CF:F3:EC:43:A9:D5:D1:4D:D4:57:09:55:52:BC:5D:73:06:1A:A1:A0"; | 22 "CF:F3:EC:43:A9:D5:D1:4D:D4:57:09:55:52:BC:5D:73:06:1A:A1:A0"; |
| 29 }; | 23 }; |
| 30 } | 24 } |
| 25 | |
| 26 -- If you don't want to fall back to dialback, you can list the domains s2s_secure_domains too | |
| 27 s2s_secure_domains = { | |
| 28 "jabber.org"; | |
| 29 } | |
| 31 }}} | 30 }}} |
| 32 | |
| 33 To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}} | |
| 34 | 31 |
| 35 = Compatibility = | 32 = Compatibility = |
| 36 | 33 |
| 37 ||trunk||Works|| | 34 ||trunk||Works|| |
| 38 ||0.9||Works|| | 35 ||0.9||Works|| |