# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1376605397 -7200
# Node ID c35cf2a46b7895cac0f6be279f09fd114501b3bd
# Parent  5b53e4534f65892d2bbd347c698e5ce4084f42f9
mod_s2s_auth_fingerprint: Describe cert pinning mode

diff -r 5b53e4534f65 -r c35cf2a46b78 mod_s2s_auth_fingerprint.wiki
--- a/mod_s2s_auth_fingerprint.wiki	Fri Aug 16 00:20:35 2013 +0200
+++ b/mod_s2s_auth_fingerprint.wiki	Fri Aug 16 00:23:17 2013 +0200
@@ -3,6 +3,16 @@
 = Introduction =
 
 This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint.
+This is useful if you have many connections to servers that use self-signed certificates.
+
+= Details =
+
+In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed.
+If it doesn't match, the status of the standard PKIX and identity validation is preserved.
+Thus it is easy to switch from a self-signed certificate to a CA-signed certificate.
+
+The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning.
+Servers not listed in the configuration are not affected.
 
 = Configuration =
 
@@ -18,8 +28,11 @@
 }
 }}}
 
+To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}}
+
 = Compatibility =
 
 ||trunk||Works||
 ||0.9||Works||
+||0.8||Doesn't work||