Hello Stephen,

> My basic idea for the client is:
> - load a db of self-signed certs.
> - connect to host
> - if host cert is self signed
>   - if not in db, prompt user and add to db
>   - if in db, check fingerprint and warn user if they don't match.
> Browsing the manuals/source code, there doesn't seem to be an easy way
> to configure this. I don't want to have to use the OpenSSL API for this
> :(.

I experimented with cert FP pinning in the past, too. tls_peer_cert_hash
is probably what you're looking for. Found it looking at
/usr/include/tls.h. Then tried to find it referenced in other manpages,

oolong$ man -k Xr=tls_peer_cert_hash 
nc(1) - arbitrary TCP and UDP connections and listens

That's far from ideal IMO, but I don't know where, of the many tls_*
manpages, would I reference it.


Reply via email to