From f8bb98e7208b0200c2195c39614b02315331feeb Mon Sep 17 00:00:00 2001 From: polskafan <52006325+polskafan@users.noreply.github.com> Date: Thu, 8 Aug 2024 09:56:26 +0200 Subject: [PATCH] Update TLS.md (#1401) * Update TLS.md document Let's Encrypt certificate changes * cleanup list of certificates --- docs/TLS.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/TLS.md b/docs/TLS.md index 8943ceea11..a9494c5308 100644 --- a/docs/TLS.md +++ b/docs/TLS.md @@ -5,12 +5,14 @@ Starting with version 10.0.0.4, TLS now support dual mode, depending of the value of `SetOption132`: - `SetOption132 0` (default): the server's identity is checked against pre-defined Certificate Authorities. There is no further configuration needed. Tasmota includes the following CAs: - - [LetsEncrypt R3 certificate](https://letsencrypt.org/certificates/), RSA 2048 bits SHA 256, valid until 20250915 + - [Let's Encrypt ISRG Root X1](https://letsencrypt.org/certificates/), RSA 4096 bits SHA 256, valid until 20300604, starting with Tasmota version 13.4.1.2 - [Amazon Root CA](https://www.amazontrust.com/repository/), RSA 2048 bits SHA 256, valid until 20380117, used by AWS IoT - `SetOption132 1`: Fingerprint validation. This method works for any server certificate, including self-signed certificates. The server's public key is hashed into a fingerprint and compared to a pre-recorded value. This method is more universal but requires an additional configuration (see below) There is no performance difference between both modes. +Because of [changes](https://letsencrypt.org/2024/04/12/changes-to-issuance-chains) in the Let's Encrypt certificate chain, Tasmota needs to be updated to at least version 13.4.1.2 to validate certificates issued by Let's Encrypt after June 6th, 2024. + ## Fingerprint Validation The fingerprint is now calculated on the server's Public Key and no longer on its Certificate. The good news is that Public Keys tend to change far less often than certificates, i.e. LetsEncrypt triggers a certificate renewal every 3 months, the Public Key fingerprint will not change after a certificate renewal. The bad news is that there is no `openssl` command to retrieve the server's Public Key fingerprint.