Re: TOFU/cert pinning in libtls

2020-05-10 Thread Ingo Schwarze
Hi Lucas, Lucas wrote on Sat, May 09, 2020 at 06:18:50PM +: > I experimented with cert FP pinning in the past, too. tls_peer_cert_hash > is probably what you're looking for. Found it looking at > /usr/include/tls.h. Then tried to find it referenced in other manpages, > > oolong$ man -k

TOFU/cert pinning in libtls

2020-05-09 Thread Stephen Gregoratto
I am currently implementing a simple C client for the gemini protocol[1]. All transactions are protected using TLS, with a catch: > Clients can validate TLS connections however they like (including not > at all) but the strongly RECOMMENDED approach is to implement a > lightweight "TOFU"

Re: TOFU/cert pinning in libtls

2020-05-09 Thread Ted Unangst
On 2020-05-09, Bob Beck wrote: > > oolong$ man -k Xr=tls_peer_cert_hash > > nc(1) - arbitrary TCP and UDP connections and listens > > > > That's far from ideal IMO, but I don't know where, of the many tls_* > > manpages, would I reference it. > > man tls_peer_cert_hash > > happily brings up

Re: TOFU/cert pinning in libtls

2020-05-09 Thread Bob Beck
On Sat, May 09, 2020 at 06:18:50PM +, Lucas wrote: > Hello Stephen, > > > My basic idea for the client is: > > > > - load a db of self-signed certs. > > - connect to host > > - if host cert is self signed > > - if not in db, prompt user and add to db > > - if in db, check fingerprint

Re: TOFU/cert pinning in libtls

2020-05-09 Thread Lucas
Hello Stephen, > My basic idea for the client is: > > - load a db of self-signed certs. > - connect to host > - if host cert is self signed > - if not in db, prompt user and add to db > - if in db, check fingerprint and warn user if they don't match. > > Browsing the manuals/source code,