poezio/doc/en/ssl.txt

SSL Management
==============

Starting from version 0.7.5, poezio offers some options to check the validity
of a X.509 certificate.

TOFU
----

The default handling method is the
link:https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use[TOFU/TUFU]
method. At your first connection, poezio will save the hash of the certificate
received, and will compare the received one and the first one for the next
connections.


If you are paranoid (or run poezio for the first time in an unsafe
environment), you can set the _certificate_ value of your config file yourself
(the hash, not colon-separated).


If the certificate is not the same, poezio will show an error message and wait
for confirmation:

image:../images/ssl_warning.png["Warning message", title="Warning message"]

If you press y, the change is validated an poezio will match the next certs
with the accepted one.

If you press n, you will get the confirmation that the change has been
refused, and you will be disconnected.

CA-Based
--------

If you are connecting to a large server that has several front-facing
endpoints, you might be bothered by having to validate the change each time,
and you may want to check only if it the same authority delivered the
certificate.

You can then set the _ca_cert_path_ option to the path of a file containing
the validation chain in link:https://tools.ietf.org/html/rfc1422.html[PEM
format] ; those certificates are usually in /usr/share/ca-certificates/ but it
may vary depending of your distribution.

If the authority does not match when connecting, you should be disconnected.

None
----

If you do not want to bother with certificate validation at all (which can be
the case when you run poezio on the same computer as your jabber server), you
can set the _ignore_certificate_ value to true, and let the _ca_cert_path_
option empty (or even remove it).
Document the certificate handling - Show the various options - Optimize the documentation images 2012-07-03 12:35:41 +00:00			`SSL Management`
			`==============`

			`Starting from version 0.7.5, poezio offers some options to check the validity`
			`of a X.509 certificate.`

			`TOFU`
			`----`

			`The default handling method is the`
			`link:https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use[TOFU/TUFU]`
			`method. At your first connection, poezio will save the hash of the certificate`
			`received, and will compare the received one and the first one for the next`
			`connections.`


			`If you are paranoid (or run poezio for the first time in an unsafe`
			`environment), you can set the _certificate_ value of your config file yourself`
			`(the hash, not colon-separated).`


			`If the certificate is not the same, poezio will show an error message and wait`
			`for confirmation:`

			`image:../images/ssl_warning.png["Warning message", title="Warning message"]`

			`If you press y, the change is validated an poezio will match the next certs`
			`with the accepted one.`

			`If you press n, you will get the confirmation that the change has been`
			`refused, and you will be disconnected.`

			`CA-Based`
			`--------`

			`If you are connecting to a large server that has several front-facing`
			`endpoints, you might be bothered by having to validate the change each time,`
			`and you may want to check only if it the same authority delivered the`
			`certificate.`

			`You can then set the _ca_cert_path_ option to the path of a file containing`
			`the validation chain in link:https://tools.ietf.org/html/rfc1422.html[PEM`
			`format] ; those certificates are usually in /usr/share/ca-certificates/ but it`
			`may vary depending of your distribution.`

			`If the authority does not match when connecting, you should be disconnected.`

			`None`
			`----`

			`If you do not want to bother with certificate validation at all (which can be`
			`the case when you run poezio on the same computer as your jabber server), you`
			`can set the _ignore_certificate_ value to true, and let the _ca_cert_path_`
			`option empty (or even remove it).`