diff options
author | mathieui <mathieui@mathieui.net> | 2017-10-10 00:52:44 +0200 |
---|---|---|
committer | mathieui <mathieui@mathieui.net> | 2017-10-10 00:52:44 +0200 |
commit | ef84a109e8f492c83979443b6366fb8ca4028009 (patch) | |
tree | 199acf4a299122f3a0a39bb94f810fdf293020b0 /doc | |
parent | dcdc970acd64d1c3925a2c8c5690b58e209e001c (diff) | |
download | poezio-ef84a109e8f492c83979443b6366fb8ca4028009.tar.gz poezio-ef84a109e8f492c83979443b6366fb8ca4028009.tar.bz2 poezio-ef84a109e8f492c83979443b6366fb8ca4028009.tar.xz poezio-ef84a109e8f492c83979443b6366fb8ca4028009.zip |
Fix #3190 (TOFU the SPKI hash and not the whole cert)
Makes letsencrypt renewals more pleasant.
Thanks jonasw and aioxmpp for the ASN.1 wizardry
Diffstat (limited to 'doc')
-rw-r--r-- | doc/source/configuration.rst | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index d9b3d6e9..51f1176d 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -62,11 +62,16 @@ and certificate validation. **Default value:** ``[empty]`` - The SHA-2 fingerprint of the SSL certificate as a hexadecimal string, - you should not touch it, except if know what you are doing. + The SHA-2 fingerprint of the SubjectPublicKeyInfo of the SSL + certificate as a hexadecimal string, you should not touch it, + except if know what you are doing. - .. note:: the fingerprint was previously stored in SHA-1, and has been - silently upgraded to SHA-2 if the SHA-1 still matched. + .. note:: the fingerprint was previously a fingerprint of the whole + certificate, while it is now only of the SubjectPublicKeyInfo, + which persists across LetsEncrypt renewals, and therefore + reduces the noise generated by the alert dialog. + + .. versionchanged:: 0.12 ciphers |