Explain how long the servers can cache the TLS fingerprints for

matrix-org · Oct 12, 2016 · c61ddee · c61ddee
1 parent 0af6213
commit c61ddee
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
@@ -105,9 +105,10 @@ def default_config(self, config_dir_path, server_name, **kwargs):
         # synapse is using.
         #
         # Homeservers are permitted to cache the list of TLS fingerprints
-        # returned in the key responses. It may be necessary to publish the
-        # fingerprints of a new certificate and wait for the caches on other
-        # servers to expire before deploying it.
+        # returned in the key responses up to the "valid_until_ts" returned in
+        # key. It may be necessary to publish the fingerprints of a new
+        # certificate and wait until the "valid_until_ts" of the previous key
+        # responses have passed before deploying it.
         tls_fingerprints: []
         # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
         """ % locals()