From ef84a109e8f492c83979443b6366fb8ca4028009 Mon Sep 17 00:00:00 2001
From: mathieui <mathieui@mathieui.net>
Date: Tue, 10 Oct 2017 00:52:44 +0200
Subject: Fix #3190 (TOFU the SPKI hash and not the whole cert)

Makes letsencrypt renewals more pleasant.
Thanks jonasw and aioxmpp for the ASN.1 wizardry
---
 doc/source/configuration.rst | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'doc/source/configuration.rst')

diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index d9b3d6e9..51f1176d 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -62,11 +62,16 @@ and certificate validation.
 
         **Default value:** ``[empty]``
 
-        The SHA-2 fingerprint of the SSL certificate as a hexadecimal string,
-        you should not touch it, except if know what you are doing.
+        The SHA-2 fingerprint of the SubjectPublicKeyInfo of the SSL
+        certificate as a hexadecimal string, you should not touch it,
+        except if know what you are doing.
 
-        .. note:: the fingerprint was previously stored in SHA-1, and has been
-                silently upgraded to SHA-2 if the SHA-1 still matched.
+        .. note:: the fingerprint was previously a fingerprint of the whole
+                  certificate, while it is now only of the SubjectPublicKeyInfo,
+                  which persists across LetsEncrypt renewals, and therefore
+                  reduces the noise generated by the alert dialog.
+
+     .. versionchanged:: 0.12
 
     ciphers
 
-- 
cgit v1.2.3