currently it is only possible to either validate ssl certs via the local certstore or to connect via plaintext, but for example when using socat to proxy connections to servers through tor, I want to use ssl but the cert not to be validated.
of course another possibility for this special use-case would be adding socks proxy support.
ircs+insecure is not planned. Instead fingerprint pinning should be used.
And that won't check if the domain you're connecting to is the domain the certificate is issued for?
I guess that's better, though I then have to change the pinned cert every time the cert changes, something like "domain pinning" would be more convenient. (setting a domain for a server that the certificate may be issued to)
If you're going to use Tor, why not use plain-text connections? TLS doesn't provide any value if certificate verification is disabled.
That's true, but I still could use tls when I could configure the domain check somehow (and also by normal cert pinning but that is pretty inconvenient).
To fix this:
- Add a new
tls_cert_fingerprintcolumn to the
- Update our
Networktype and DB implementations accordingly
tls.Config.VerifyPeerCertificateto check the fingerprint
- Add a BouncerServ
network updateflag to set the fingerprint