From 9bfcb7e2eba2bd6bfd6d484caffc5823fc4499ca Mon Sep 17 00:00:00 2001 From: mathieui Date: Tue, 3 Jul 2012 14:35:41 +0200 Subject: Document the certificate handling - Show the various options - Optimize the documentation images --- doc/en/ssl.txt | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 doc/en/ssl.txt (limited to 'doc/en/ssl.txt') diff --git a/doc/en/ssl.txt b/doc/en/ssl.txt new file mode 100644 index 00000000..ef7af349 --- /dev/null +++ b/doc/en/ssl.txt @@ -0,0 +1,62 @@ +SSL Management +============== + +Starting from version 0.7.5, poezio offers some options to check the validity +of a X.509 certificate. + +TOFU +---- + +The default handling method is the +link:https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use[TOFU/TUFU] +method. At your first connection, poezio will save the hash of the certificate +received, and will compare the received one and the first one for the next +connections. + + +If you are paranoid (or run poezio for the first time in an unsafe +environment), you can set the _certificate_ value of your config file yourself +(the hash, not colon-separated). + + +If the certificate is not the same, poezio will show an error message and wait +for confirmation: + +image:../images/ssl_warning.png["Warning message", title="Warning message"] + +If you press y, the change is validated an poezio will match the next certs +with the accepted one. + +If you press n, you will get the confirmation that the change has been +refused, and you will be disconnected. + +CA-Based +-------- + +If you are connecting to a large server that has several front-facing +endpoints, you might be bothered by having to validate the change each time, +and you may want to check only if it the same authority delivered the +certificate. + +You can then set the _ca_cert_path_ option to the path of a file containing +the validation chain in link:https://tools.ietf.org/html/rfc1422.html[PEM +format] ; those certificates are usually in /usr/share/ca-certificates/ but it +may vary depending of your distribution. + +If the authority does not match when connecting, you should be disconnected. + +None +---- + +If you do not want to bother with certificate validation at all (which can be +the case when you run poezio on the same computer as your jabber server), you +can set the _ignore_certificate_ value to true, and let the _ca_cert_path_ +option empty (or even remove it). + + + + + + + + -- cgit v1.2.3