Pinning by fingerprint¶

To pin the certificate by fingerprint:

[storagefoo]type="caldav"...verify_fingerprint="6D:83:EA:32:6C:39:BA:08:ED:EB:C9:BC:BE:12:BB:BF:0F:D9:83:00:CC:89:7E:C7:32:05:94:96:CA:C5:59:5E"

SHA256-Fingerprints must be used, MD5 and SHA-1 are insecure and not supported.CA validation is disabled when pinning a fingerprint.

You can use the following command for obtaining a SHA256 fingerprint:

echo-n|openssls_client-connectunterwaditzer.net:443|opensslx509-noout-fingerprint-sha256

However, please consider usingLet’s Encrypt suchthat you can forget about all of that. It is easier to deploy a freecertificate from them than configuring all of your clients to accept theself-signed certificate.

Custom root CAs¶

To point vdirsyncer to a custom set of root CAs:

[storagefoo]type="caldav"...verify="/path/to/cert.pem"

Vdirsyncer uses theaiohttp library, which uses the default`ssl.SSLContexthttps://docs.python.org/3/library/ssl.html#ssl.SSLContext`_ by default.

There are cases where certificate validation fails even though you can accessthe server fine through e.g. your browser. This usually indicates that yourinstallation ofpython or theaiohttp or library is somehow broken. Insuch cases, it makes sense to explicitly setverify orverify_fingerprint as shown above.

Client Certificates¶

Client certificates may be specified with theauth_cert parameter. If thekey and certificate are stored in the same file, it may be a string:

[storagefoo]type="caldav"...auth_cert="/path/to/certificate.pem"

If the key and certificate are separate, a list may be used:

[storagefoo]type="caldav"...auth_cert=["/path/to/certificate.crt","/path/to/key.key"]