On Sat, May 09, 2020 at 06:18:50PM +0000, Lucas wrote: > Hello Stephen, > > > My basic idea for the client is: > > > > - load a db of self-signed certs. > > - connect to host > > - if host cert is self signed > > - if not in db, prompt user and add to db > > - if in db, check fingerprint and warn user if they don't match. > > > > Browsing the manuals/source code, there doesn't seem to be an easy way > > to configure this. I don't want to have to use the OpenSSL API for this > > :(. > > I experimented with cert FP pinning in the past, too. tls_peer_cert_hash > is probably what you're looking for. Found it looking at > /usr/include/tls.h. Then tried to find it referenced in other manpages, > > oolong$ man -k Xr=tls_peer_cert_hash > nc(1) - arbitrary TCP and UDP connections and listens > > That's far from ideal IMO, but I don't know where, of the many tls_* > manpages, would I reference it.
man tls_peer_cert_hash happily brings up the man page on my machines.