Hello Stephen, > My basic idea for the client is: > > - load a db of self-signed certs. > - connect to host > - if host cert is self signed > - if not in db, prompt user and add to db > - if in db, check fingerprint and warn user if they don't match. > > Browsing the manuals/source code, there doesn't seem to be an easy way > to configure this. I don't want to have to use the OpenSSL API for this > :(.
I experimented with cert FP pinning in the past, too. tls_peer_cert_hash is probably what you're looking for. Found it looking at /usr/include/tls.h. Then tried to find it referenced in other manpages, oolong$ man -k Xr=tls_peer_cert_hash nc(1) - arbitrary TCP and UDP connections and listens That's far from ideal IMO, but I don't know where, of the many tls_* manpages, would I reference it. HTH, -Lucas