Mercurial > prosody-wiki
comparison mod_s2s_auth_fingerprint.wiki @ 399:c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 16 Aug 2013 00:23:17 +0200 |
parents | 4a39ef28e2d9 |
children | dc20cb1bb874 |
comparison
equal
deleted
inserted
replaced
398:5b53e4534f65 | 399:c35cf2a46b78 |
---|---|
1 #summary Fingerprint based s2s authentication | 1 #summary Fingerprint based s2s authentication |
2 | 2 |
3 = Introduction = | 3 = Introduction = |
4 | 4 |
5 This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint. | 5 This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint. |
6 This is useful if you have many connections to servers that use self-signed certificates. | |
7 | |
8 = Details = | |
9 | |
10 In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed. | |
11 If it doesn't match, the status of the standard PKIX and identity validation is preserved. | |
12 Thus it is easy to switch from a self-signed certificate to a CA-signed certificate. | |
13 | |
14 The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning. | |
15 Servers not listed in the configuration are not affected. | |
6 | 16 |
7 = Configuration = | 17 = Configuration = |
8 | 18 |
9 After installing and enabling this module, you can put SHA-1 fingerprints of remote servers in your config like this: | 19 After installing and enabling this module, you can put SHA-1 fingerprints of remote servers in your config like this: |
10 | 20 |
16 "CF:F3:EC:43:A9:D5:D1:4D:D4:57:09:55:52:BC:5D:73:06:1A:A1:A0"; | 26 "CF:F3:EC:43:A9:D5:D1:4D:D4:57:09:55:52:BC:5D:73:06:1A:A1:A0"; |
17 }; | 27 }; |
18 } | 28 } |
19 }}} | 29 }}} |
20 | 30 |
31 To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}} | |
32 | |
21 = Compatibility = | 33 = Compatibility = |
22 | 34 |
23 ||trunk||Works|| | 35 ||trunk||Works|| |
24 ||0.9||Works|| | 36 ||0.9||Works|| |
37 ||0.8||Doesn't work|| | |
25 | 38 |