aboutsummaryrefslogtreecommitdiffstats
path: root/doc/interimap.1.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/interimap.1.md')
-rw-r--r--doc/interimap.1.md12
1 files changed, 9 insertions, 3 deletions
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index c70698b..9b53a69 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -397,9 +397,10 @@ Valid options are:
*SSL_fingerprint*
-: Fingerprint of the server certificate's Subject Public Key Info, in
- the form `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm
- (by default `sha256`).
+: Space-separated list of acceptable fingerprints for the server
+ certificate's Subject Public Key Info, in the form
+ `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm (by default
+ `sha256`).
Attempting to connect to a server with a non-matching certificate
SPKI fingerprint causes `interimap` to abort the connection during
the SSL/TLS handshake.
@@ -410,6 +411,11 @@ Valid options are:
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256
+ Specifying multiple digest values can be useful in key rollover
+ scenarios and/or when the server supports certificates of different
+ types (for instance RSA+ECDSA). In that case the connection is
+ aborted when none of the specified digests matches.
+
*SSL_verify*
: Whether to verify the server certificate chain.