I am currently implementing a simple C client for the gemini protocol[1]. All transactions are protected using TLS, with a catch:
> Clients can validate TLS connections however they like (including not > at all) but the strongly RECOMMENDED approach is to implement a > lightweight "TOFU" certificate-pinning system which treats self-signed > certificates as first- class citizens. This greatly reduces TLS > overhead on the network (only one cert needs to be sent, not a whole > chain) and lowers the barrier to entry for setting up a Gemini site > (no need to pay a CA or setup a Let's Encrypt cron job, just make a > cert and go). My basic idea for the client is: - load a db of self-signed certs. - connect to host - if host cert is self signed - if not in db, prompt user and add to db - if in db, check fingerprint and warn user if they don't match. Browsing the manuals/source code, there doesn't seem to be an easy way to configure this. I don't want to have to use the OpenSSL API for this :(. P.S. Big shoutout to Bob for his tutorial[2], it's a great introduction to an awesome library! [1] https://gemini.circumlunar.space/docs/spec-spec.txt [2] https://github.com/bob-beck/libtls/blob/ -- Stephen Gregoratto
