# HG changeset patch # User Kim Alvefur # Date 1398562793 -7200 # Node ID 171663daa144b2d98128cbfe9f95933087c73eb5 # Parent 042161223488cbd41bc46e9528ea4fb7591fc9aa mod_s2s_auth_fingerprint: remove info about pinning, this is the default now diff -r 042161223488 -r 171663daa144 mod_s2s_auth_fingerprint.wiki --- a/mod_s2s_auth_fingerprint.wiki Sun Apr 27 03:39:13 2014 +0200 +++ b/mod_s2s_auth_fingerprint.wiki Sun Apr 27 03:39:53 2014 +0200 @@ -3,16 +3,10 @@ = Introduction = -This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint. -This is useful if you have many connections to servers that use self-signed certificates. +This module allows you to manually pin certificate fingerprints of remote servers. = Details = -In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed. -If it doesn't match, the status of the standard PKIX and identity validation is preserved. -Thus it is easy to switch from a self-signed certificate to a CA-signed certificate. - -The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning. Servers not listed in the configuration are not affected. = Configuration = @@ -28,10 +22,13 @@ "CF:F3:EC:43:A9:D5:D1:4D:D4:57:09:55:52:BC:5D:73:06:1A:A1:A0"; }; } + +-- If you don't want to fall back to dialback, you can list the domains s2s_secure_domains too +s2s_secure_domains = { + "jabber.org"; +} }}} -To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}} - = Compatibility = ||trunk||Works||