diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-12-01 14:26:37 +0100 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-12-01 14:26:37 +0100 | 
| commit | b399fbee737ebe99491bf1370002bbff00a784e0 (patch) | |
| tree | ab00dc6b6e97ad8f8cabedbac71a4c5361a81833 /interimap.md | |
| parent | 986edff592c159cb9057e960f380057ff06da939 (diff) | |
"fingerprint" now only pins the cert's SPKI, not the cert itself.
Diffstat (limited to 'interimap.md')
| -rw-r--r-- | interimap.md | 17 | 
1 files changed, 12 insertions, 5 deletions
| diff --git a/interimap.md b/interimap.md index 7d119ab..b923933 100644 --- a/interimap.md +++ b/interimap.md @@ -345,12 +345,19 @@ Valid options are:  *SSL_fingerprint* -:   Fingerprint of the server certificate (or its public key) in the -    form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm -    (by default `sha256`). +:   Fingerprint of the server certificate's Subject Public Key Info, in +    the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by +    default `sha256`).      Attempting to connect to a server with a non-matching certificate -    fingerprint causes `interimap` to abort the connection during the -    SSL/TLS handshake. +    SPKI fingerprint causes `interimap` to abort the connection during +    the SSL/TLS handshake. + +    You can use the following command to compute the SHA-256 digest of +    certificate's Subject Public Key Info. + +        openssl x509 -in /path/to/server/certificate.pem -pubkey \ +        | openssl pkey -pubin -outform DER \ +        | openssl dgst -sha256  *SSL_verify* | 
