On 1/19/22 16:46, Viktor Dukhovni wrote:
Only "-l dane" can produce a "Verified" result with no explicit trust
...
the default is to not trust any CAs.
ah. thx! o/
posttls-finger -cC -lsecure -F /etc/ssl/certs/ca-bundle.trust.crt
'[mx.example.com]'
posttls-finger: mx.example.com[XX.XX.XX.X3]:25: matched peername:
mx.example.com
posttls-finger: mx.example.com[XX.XX.XX.X3]:25:
subject_CN=mx.example.com, issuer_CN=R3, fingerprint=..., pkey_fingerprint=...
posttls-finger: Verified TLS connection established to
mx.example.com[XX.XX.XX.X3]:25: TLSv1.3 with cipher
TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X448 server-signature
ECDSA (P-384) server-digest SHA384
