I am currently implementing a simple C client for the gemini
protocol[1]. All transactions are protected using TLS, with a catch:
> Clients can validate TLS connections however they like (including not
> at all) but the strongly RECOMMENDED approach is to implement a
> lightweight "TOFU" certifica
Hello Stephen,
> My basic idea for the client is:
>
> - load a db of self-signed certs.
> - connect to host
> - if host cert is self signed
> - if not in db, prompt user and add to db
> - if in db, check fingerprint and warn user if they don't match.
>
> Browsing the manuals/source code, the
On Sat, May 09, 2020 at 06:18:50PM +, Lucas wrote:
> Hello Stephen,
>
> > My basic idea for the client is:
> >
> > - load a db of self-signed certs.
> > - connect to host
> > - if host cert is self signed
> > - if not in db, prompt user and add to db
> > - if in db, check fingerprint an
On 2020-05-09, Bob Beck wrote:
> > oolong$ man -k Xr=tls_peer_cert_hash
> > nc(1) - arbitrary TCP and UDP connections and listens
> >
> > That's far from ideal IMO, but I don't know where, of the many tls_*
> > manpages, would I reference it.
>
> man tls_peer_cert_hash
>
> happily brings up th
Hi Lucas,
Lucas wrote on Sat, May 09, 2020 at 06:18:50PM +:
> I experimented with cert FP pinning in the past, too. tls_peer_cert_hash
> is probably what you're looking for. Found it looking at
> /usr/include/tls.h. Then tried to find it referenced in other manpages,
>
> oolong$ man -k Xr=tl
5 matches
Mail list logo
