diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 15:06:37 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 15:29:54 +0100 |
commit | a1ef66a76b4a6651b7371a9fd1e35f2f99e85bfa (patch) | |
tree | fbc80ff754618b91f2fc518cff8c71175b9a0e92 /doc | |
parent | b13c9fa6f442f555af65f869b954935dae40fcc4 (diff) |
libinterimap: SSL_fingerprint now supports a space-separate list of digests to pin.
And succeeds if, and only if, the peer certificate SPKI matches one of
the pinned digest values. Specifying multiple digest values can key
useful in key rollover scenarios and/or when the server supports
certificates of different types (for instance RSA+ECDSA).
Diffstat (limited to 'doc')
-rw-r--r-- | doc/interimap.1.md | 12 | ||||
-rw-r--r-- | doc/pullimap.1.md | 12 |
2 files changed, 18 insertions, 6 deletions
diff --git a/doc/interimap.1.md b/doc/interimap.1.md index c70698b..9b53a69 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -397,9 +397,10 @@ Valid options are: *SSL_fingerprint* -: Fingerprint of the server certificate's Subject Public Key Info, in - the form `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm - (by default `sha256`). +: Space-separated list of acceptable fingerprints for the server + certificate's Subject Public Key Info, in the form + `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm (by default + `sha256`). Attempting to connect to a server with a non-matching certificate SPKI fingerprint causes `interimap` to abort the connection during the SSL/TLS handshake. @@ -410,6 +411,11 @@ Valid options are: | openssl pkey -pubin -outform DER \ | openssl dgst -sha256 + Specifying multiple digest values can be useful in key rollover + scenarios and/or when the server supports certificates of different + types (for instance RSA+ECDSA). In that case the connection is + aborted when none of the specified digests matches. + *SSL_verify* : Whether to verify the server certificate chain. diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index 87cafbf..2bc4212 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -216,9 +216,10 @@ Valid options are: *SSL_fingerprint* -: Fingerprint of the server certificate's Subject Public Key Info, in - the form `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm - (by default `sha256`). +: Space-separated list of acceptable fingerprints for the server + certificate's Subject Public Key Info, in the form + `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm (by default + `sha256`). Attempting to connect to a server with a non-matching certificate SPKI fingerprint causes `pullimap` to abort the connection during the SSL/TLS handshake. @@ -229,6 +230,11 @@ Valid options are: | openssl pkey -pubin -outform DER \ | openssl dgst -sha256 + Specifying multiple digest values can be useful in key rollover + scenarios and/or when the server supports certificates of different + types (for instance RSA+ECDSA). In that case the connection is + aborted when none of the specified digests matches. + *SSL_verify* : Whether to verify the server certificate chain. |