From 7380ded584aa2d0f1cf8d8bc9454e26554d17e0e Mon Sep 17 00:00:00 2001
From: Simon Arlott <sa.me.uk>
Date: Mon, 25 Apr 2016 23:52:18 +0100
Subject: [PATCH] ircd.conf.example: use certfp_method = spki_sha256

SHA1 is insecure. SHA2-512 is a bit long. Hashes of the full certificate
are really impractical and people need to stop using them.
---
 doc/ircd.conf.example | 2 +-
 doc/reference.conf    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/ircd.conf.example b/doc/ircd.conf.example
index 5d7f984e..1e11bd6f 100644
--- a/doc/ircd.conf.example
+++ b/doc/ircd.conf.example
@@ -614,7 +614,7 @@ general {
 	throttle_count = 4;
 	max_ratelimit_tokens = 30;
 	away_interval = 30;
-	certfp_method = sha1;
+	certfp_method = spki_sha256;
 	hide_opers_in_whois = no;
 };
 
diff --git a/doc/reference.conf b/doc/reference.conf
index d0720a57..d0b17bb0 100644
--- a/doc/reference.conf
+++ b/doc/reference.conf
@@ -1410,7 +1410,7 @@ general {
 	 * constant even if the certificate is reissued.  These fingerprints will be prefixed with
 	 * "SPKI:SHA2-256:" or "SPKI:SHA2-512:" depending on the hash type.
 	 */
-	certfp_method = sha1;
+	certfp_method = spki_sha256;
 
 	/* hide_opers_in_whois: if set to YES, then oper status will be hidden in /WHOIS output. */
 	hide_opers_in_whois = no;