Lucas wrote on Sat, May 09, 2020 at 06:18:50PM +:
> I experimented with cert FP pinning in the past, too. tls_peer_cert_hash
> is probably what you're looking for. Found it looking at
> /usr/include/tls.h. Then tried to find it referenced in other manpages,
> oolong$ man -k
I am currently implementing a simple C client for the gemini
protocol. All transactions are protected using TLS, with a catch:
> Clients can validate TLS connections however they like (including not
> at all) but the strongly RECOMMENDED approach is to implement a
> lightweight "TOFU"
On 2020-05-09, Bob Beck wrote:
> > oolong$ man -k Xr=tls_peer_cert_hash
> > nc(1) - arbitrary TCP and UDP connections and listens
> > That's far from ideal IMO, but I don't know where, of the many tls_*
> > manpages, would I reference it.
> man tls_peer_cert_hash
> happily brings up
On Sat, May 09, 2020 at 06:18:50PM +, Lucas wrote:
> Hello Stephen,
> > My basic idea for the client is:
> > - load a db of self-signed certs.
> > - connect to host
> > - if host cert is self signed
> > - if not in db, prompt user and add to db
> > - if in db, check fingerprint
> My basic idea for the client is:
> - load a db of self-signed certs.
> - connect to host
> - if host cert is self signed
> - if not in db, prompt user and add to db
> - if in db, check fingerprint and warn user if they don't match.
> Browsing the manuals/source code,
Mail list logo