Mercurial > prosody-wiki
changeset 399:c35cf2a46b78
mod_s2s_auth_fingerprint: Describe cert pinning mode
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 16 Aug 2013 00:23:17 +0200 |
| parents | 5b53e4534f65 |
| children | c5d049266555 |
| files | mod_s2s_auth_fingerprint.wiki |
| diffstat | 1 files changed, 13 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_s2s_auth_fingerprint.wiki Fri Aug 16 00:20:35 2013 +0200 +++ b/mod_s2s_auth_fingerprint.wiki Fri Aug 16 00:23:17 2013 +0200 @@ -3,6 +3,16 @@ = Introduction = This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint. +This is useful if you have many connections to servers that use self-signed certificates. + += Details = + +In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed. +If it doesn't match, the status of the standard PKIX and identity validation is preserved. +Thus it is easy to switch from a self-signed certificate to a CA-signed certificate. + +The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning. +Servers not listed in the configuration are not affected. = Configuration = @@ -18,8 +28,11 @@ } }}} +To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}} + = Compatibility = ||trunk||Works|| ||0.9||Works|| +||0.8||Doesn't work||