view mod_s2s_auth_fingerprint.wiki @ 419:fdff0de712a7

mod_s2s_auth_fingerprint: Describe how to change the digest. (thanks hardfalcon)
author Kim Alvefur <zash@zash.se>
date Sun, 19 Jan 2014 22:38:16 +0100
parents dc20cb1bb874
children 171663daa144
line wrap: on
line source

#summary Fingerprint based s2s authentication
#labels Stage-Alpha, Type-S2SAuth

= Introduction =

This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint.
This is useful if you have many connections to servers that use self-signed certificates.

= Details =

In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed.
If it doesn't match, the status of the standard PKIX and identity validation is preserved.
Thus it is easy to switch from a self-signed certificate to a CA-signed certificate.

The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning.
Servers not listed in the configuration are not affected.

= Configuration =

After installing and enabling this module, you can put fingerprints of remote servers in your config like this:

{{{
s2s_auth_fingerprint_digest = "sha1" -- This is the default. Other options are "sha256" and "sha512"
s2s_trusted_fingerprints = {
	["jabber.org"] = "11:C2:3D:87:3F:95:F8:13:F8:CA:81:33:71:36:A7:00:E0:01:95:ED";
	["matthewwild.co.uk"] = {
		"FD:7F:B2:B9:4C:C4:CB:E2:E7:48:FB:0D:98:11:C7:D8:4D:2A:62:AA";
		"CF:F3:EC:43:A9:D5:D1:4D:D4:57:09:55:52:BC:5D:73:06:1A:A1:A0";
	};
}
}}}

To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}}

= Compatibility =

||trunk||Works||
||0.9||Works||
||0.8||Doesn't work||