From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from duke.felloff.net ([216.126.196.34]) by ewsd; Tue Jul 21 02:55:32 EDT 2020
Message-ID: <1E3A0ADB98B6D4C010667966E65644EE@felloff.net>
Date: Tue, 21 Jul 2020 08:55:22 +0200
From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] patch smtp: ignore unrecognized certificates
In-Reply-To: <20200720144654.GA1570@polynum.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: overflow-preventing converged realtime grid-oriented out-scaling framework 

thats why you really want to pin the key, not the cert. this
is what we do at the moment. the thumbprint is a hash of the
public key, not the certificate. so the cert can be renewed
without changing the key.

	if(X509digestSPKI(cert, len, sha2_256, hash) < 0)
		return 0;
	if(okThumbprint(hash, SHA2_256dlen, table))
		return 1;

--
cinap