|author||mathieui <firstname.lastname@example.org>||2017-10-10 00:52:44 +0200|
|committer||mathieui <email@example.com>||2017-10-10 00:52:44 +0200|
Fix #3190 (TOFU the SPKI hash and not the whole cert)
Makes letsencrypt renewals more pleasant. Thanks jonasw and aioxmpp for the ASN.1 wizardry
Diffstat (limited to 'doc')
1 files changed, 9 insertions, 4 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index d9b3d6e9..51f1176d 100644
@@ -62,11 +62,16 @@ and certificate validation.
**Default value:** ``[empty]``
- The SHA-2 fingerprint of the SSL certificate as a hexadecimal string,
- you should not touch it, except if know what you are doing.
+ The SHA-2 fingerprint of the SubjectPublicKeyInfo of the SSL
+ certificate as a hexadecimal string, you should not touch it,
+ except if know what you are doing.
- .. note:: the fingerprint was previously stored in SHA-1, and has been
- silently upgraded to SHA-2 if the SHA-1 still matched.
+ .. note:: the fingerprint was previously a fingerprint of the whole
+ certificate, while it is now only of the SubjectPublicKeyInfo,
+ which persists across LetsEncrypt renewals, and therefore
+ reduces the noise generated by the alert dialog.
+ .. versionchanged:: 0.12