From ef84a109e8f492c83979443b6366fb8ca4028009 Mon Sep 17 00:00:00 2001 From: mathieui Date: Tue, 10 Oct 2017 00:52:44 +0200 Subject: Fix #3190 (TOFU the SPKI hash and not the whole cert) Makes letsencrypt renewals more pleasant. Thanks jonasw and aioxmpp for the ASN.1 wizardry --- doc/source/configuration.rst | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index d9b3d6e9..51f1176d 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -62,11 +62,16 @@ and certificate validation. **Default value:** ``[empty]`` - The SHA-2 fingerprint of the SSL certificate as a hexadecimal string, - you should not touch it, except if know what you are doing. + The SHA-2 fingerprint of the SubjectPublicKeyInfo of the SSL + certificate as a hexadecimal string, you should not touch it, + except if know what you are doing. - .. note:: the fingerprint was previously stored in SHA-1, and has been - silently upgraded to SHA-2 if the SHA-1 still matched. + .. note:: the fingerprint was previously a fingerprint of the whole + certificate, while it is now only of the SubjectPublicKeyInfo, + which persists across LetsEncrypt renewals, and therefore + reduces the noise generated by the alert dialog. + + .. versionchanged:: 0.12 ciphers -- cgit v1.2.3