~emersion/soju-dev

2 2

“certfp” flag in “network create” is confusing

Details
Message ID
<CY460R623277.2LGJPTHG6770G@vladh.net>
DKIM signature
missing
Download raw message
I've seen someone try to do

    network create -addr xxx -username xxx -certfp cafebabecafebabe

to connect to a network using an existing certfp they had generated for
a different network. However, it seems that this “-certfp” flag is
unrelated and used to provide the fingerprint of a server's self-signed
TLS certificate. This introduces confusion with the cerfp used to log
in. Would you consider renaming this flag?
Details
Message ID
<8_XLchISSFI-3moFQ7DHrwDWEuS_c5m5Sy8qj0u7QcTltSZ-FS53C1wV_YFSrInpmoHOXDO-5XO2o-3M8oYd90u2faMlg_uJm2r8BVCHydE=@emersion.fr>
In-Reply-To
<CY460R623277.2LGJPTHG6770G@vladh.net> (view parent)
DKIM signature
missing
Download raw message
On Tuesday, January 2nd, 2024 at 11:57, Vlad-Stefan Harbuz <vlad@vladh.net> wrote:

> I've seen someone try to do
> 
> network create -addr xxx -username xxx -certfp cafebabecafebabe
> 
> to connect to a network using an existing certfp they had generated for
> a different network. However, it seems that this “-certfp” flag is
> unrelated and used to provide the fingerprint of a server's self-signed
> TLS certificate. This introduces confusion with the cerfp used to log
> in. Would you consider renaming this flag?

"certfp" here just means "certificate fingerprint", both sides of the
connection may send a certificate. Note, this isn't the same as the
public key fingerprint.

I'm not against renaming, but do you have a suggestion for a replacement?
Details
Message ID
<CY5VSLMLXISS.335T7IN3EIWIT@vladh.net>
In-Reply-To
<8_XLchISSFI-3moFQ7DHrwDWEuS_c5m5Sy8qj0u7QcTltSZ-FS53C1wV_YFSrInpmoHOXDO-5XO2o-3M8oYd90u2faMlg_uJm2r8BVCHydE=@emersion.fr> (view parent)
DKIM signature
missing
Download raw message
On Thu Jan 4, 2024 at 7:45 AM GMT, Simon Ser wrote:
> "certfp" here just means "certificate fingerprint", both sides of the
> connection may send a certificate. Note, this isn't the same as the
> public key fingerprint.
>
> I'm not against renaming, but do you have a suggestion for a replacement?

Perhaps server-certfp, as in, the fingerprint of the server's
certificate, as opposed to that of the client's certificate? And perhaps
adding a note clarifying this to that option's documentation would also
be beneficial?
Reply to thread Export thread (mbox)