changeset 399:c35cf2a46b78

mod_s2s_auth_fingerprint: Describe cert pinning mode
author Kim Alvefur <zash@zash.se>
date Fri, 16 Aug 2013 00:23:17 +0200
parents 5b53e4534f65
children c5d049266555
files mod_s2s_auth_fingerprint.wiki
diffstat 1 files changed, 13 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_fingerprint.wiki	Fri Aug 16 00:20:35 2013 +0200
+++ b/mod_s2s_auth_fingerprint.wiki	Fri Aug 16 00:23:17 2013 +0200
@@ -3,6 +3,16 @@
 = Introduction =
 
 This module allows you to explicitly say that you trust remote servers if they show a certificate with a known fingerprint.
+This is useful if you have many connections to servers that use self-signed certificates.
+
+= Details =
+
+In the default mode, the module will only mark connections as trusted *if* their certificate matches one of the fingerprints listed.
+If it doesn't match, the status of the standard PKIX and identity validation is preserved.
+Thus it is easy to switch from a self-signed certificate to a CA-signed certificate.
+
+The module has an optional mode in which it will reject listed servers that don't match one of the listed fingerprints, aka certificate pinning.
+Servers not listed in the configuration are not affected.
 
 = Configuration =
 
@@ -18,8 +28,11 @@
 }
 }}}
 
+To enable certificate pinning mode, set {{{s2s_pin_fingerprints = true}}}
+
 = Compatibility =
 
 ||trunk||Works||
 ||0.9||Works||
+||0.8||Doesn't work||