prosody-wiki: mod_s2s_auth_fingerprint.wiki comparison

mod_s2s_auth_fingerprint: Describe cert pinning mode

comparison

equal deleted inserted replaced

-:5b53e4534f65
+:c35cf2a46b78
 #summary Fingerprint based s2s authentication
 = Introduction =
 This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint.
+This is useful if you have many connections to servers that use self-signed certificates.
+= Details =
+In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed.
+If it doesn't match, the status of the standard PKIX and identity validation is preserved.
+Thus it is easy to switch from a self-signed certificate to a CA-signed certificate.
+The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning.
+Servers not listed in the configuration are not affected.
 = Configuration =
 After installing and enabling this module, you can put SHA-1 fingerprints of remote servers in your config like this:
 		"CF:F3:EC:43:A9:D5:D1:4D:D4:57:09:55:52:BC:5D:73:06:1A:A1:A0";
 	};
 }
 }}}
+To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}}
 = Compatibility =
 ||trunk||Works||
 ||0.9||Works||
+||0.8||Doesn't work||

Mercurial > prosody-wiki