summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authormathieui <mathieui@mathieui.net>2017-10-10 00:52:44 +0200
committermathieui <mathieui@mathieui.net>2017-10-10 00:52:44 +0200
commitef84a109e8f492c83979443b6366fb8ca4028009 (patch)
tree199acf4a299122f3a0a39bb94f810fdf293020b0 /doc
parentdcdc970acd64d1c3925a2c8c5690b58e209e001c (diff)
downloadpoezio-ef84a109e8f492c83979443b6366fb8ca4028009.tar.gz
poezio-ef84a109e8f492c83979443b6366fb8ca4028009.tar.bz2
poezio-ef84a109e8f492c83979443b6366fb8ca4028009.tar.xz
poezio-ef84a109e8f492c83979443b6366fb8ca4028009.zip
Fix #3190 (TOFU the SPKI hash and not the whole cert)
Makes letsencrypt renewals more pleasant. Thanks jonasw and aioxmpp for the ASN.1 wizardry
Diffstat (limited to 'doc')
-rw-r--r--doc/source/configuration.rst13
1 files changed, 9 insertions, 4 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index d9b3d6e9..51f1176d 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -62,11 +62,16 @@ and certificate validation.
**Default value:** ``[empty]``
- The SHA-2 fingerprint of the SSL certificate as a hexadecimal string,
- you should not touch it, except if know what you are doing.
+ The SHA-2 fingerprint of the SubjectPublicKeyInfo of the SSL
+ certificate as a hexadecimal string, you should not touch it,
+ except if know what you are doing.
- .. note:: the fingerprint was previously stored in SHA-1, and has been
- silently upgraded to SHA-2 if the SHA-1 still matched.
+ .. note:: the fingerprint was previously a fingerprint of the whole
+ certificate, while it is now only of the SubjectPublicKeyInfo,
+ which persists across LetsEncrypt renewals, and therefore
+ reduces the noise generated by the alert dialog.
+
+ .. versionchanged:: 0.12
ciphers