Subj : src/sbbs3/js_socket.c js_socket.h
To   : Git commit to main/sbbs/master
From : Deuc¨
Date : Sat Nov 08 2025 13:37:47

https://gitlab.synchro.net/main/sbbs/-/commit/495ca643bcd016cac27b0a1f
Modified Files:
	src/sbbs3/js_socket.c js_socket.h
Log Message:
Add five new TLS properties to the socket object

tls_nameverify (defaults to true)
Ensures the remote hostname is in the certificate.
Turning this off will allow any valid certificate to be used by the remote
Only useful for testing, insecure for actual use.

tls_certverifiy (defaults to true)
Validates the certificate.
Only useful for testing. Turning this off basically makes TLS a joke.

tls_client_auth (defaults to false)
When set by a server, requires a client certificate for the TLS session.
When set by a client, will provide the current certificate to the server if requested.

tls_enhanced_certcheck (defaults to false)
Checks a bit more of the remote certificate for validity. A small
number of internet hosts need this disabled to allow TLS, these hosts
have suspect certificates, but web browsers think they're good enough,
so we do too by default.

tls_remote_cert
This property is a CryptCert object created when a client connection
is established, and when a server that has tls_client_auth enabled
accepts a connection. Actually using this object is quite complex
and painful, but hopefully we can get the Subject Alt Names out of
it someday, which will allow TLS secured BinkIT sessions to verify
that the remote is actually connecting from an IP address that maps
back to the FidoNet node using the domain DNS lookup. With this and
a reasonable list of trusted CAs (it's not clear what is currently
used if anything), we can actually have mutually authenticated
connections from FTN nodes that don't have explicit links
configured... which would be the first step toward making netmail
not be trivially spoofable. A lot of work after this still left to
do though.

---
 þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

.