TZUTC: -0800   
   MSGID: 53467.syncprog@1:103/705 2d75bf06   
   PID: Synchronet 3.21a-Linux master/88b423313 Sep 29 2025 GCC 12.2.0   
   TID: SBBSecho 3.31-Linux master/d39e01091 Nov 03 2025 GCC 12.2.0   
   BBSID: VERT   
   CHRS: UTF-8 4   
   FORMAT: flowed   
   https://gitlab.synchro.net/main/sbbs/-/commit/495ca643bcd016cac27b0a1f   
   Modified Files:   
   	src/sbbs3/js_socket.c js_socket.h   
   Log Message:   
   Add five new TLS properties to the socket object   
      
   tls_nameverify (defaults to true)   
   Ensures the remote hostname is in the certificate.   
   Turning this off will allow any valid certificate to be used by the remote   
   Only useful for testing, insecure for actual use.   
      
   tls_certverifiy (defaults to true)   
   Validates the certificate.   
   Only useful for testing. Turning this off basically makes TLS a joke.   
      
   tls_client_auth (defaults to false)   
   When set by a server, requires a client certificate for the TLS session.   
   When set by a client, will provide the current certificate to the server if   
   requested.   
      
   tls_enhanced_certcheck (defaults to false)   
   Checks a bit more of the remote certificate for validity. A small   
   number of internet hosts need this disabled to allow TLS, these hosts   
   have suspect certificates, but web browsers think they're good enough,   
   so we do too by default.   
      
   tls_remote_cert   
   This property is a CryptCert object created when a client connection   
   is established, and when a server that has tls_client_auth enabled   
   accepts a connection. Actually using this object is quite complex   
   and painful, but hopefully we can get the Subject Alt Names out of   
   it someday, which will allow TLS secured BinkIT sessions to verify   
   that the remote is actually connecting from an IP address that maps   
   back to the FidoNet node using the domain DNS lookup. With this and   
   a reasonable list of trusted CAs (it's not clear what is currently   
   used if anything), we can actually have mutually authenticated   
   connections from FTN nodes that don't have explicit links   
   configured... which would be the first step toward making netmail   
   not be trivially spoofable. A lot of work after this still left to   
   do though.   
   --- SBBSecho 3.31-Linux   
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)   
   SEEN-BY: 10/0 1 102/401 103/1 705 105/81 106/201 124/5016 128/187   
   SEEN-BY: 129/14 153/7715 154/110 214/22 218/0 1 215 610 700 810 226/30   
   SEEN-BY: 227/114 229/110 206 317 400 426 428 470 700 705 266/512 280/464   
   SEEN-BY: 291/111 301/1 320/219 322/757 342/200 396/45 460/58 633/280   
   SEEN-BY: 712/848 902/26 5075/35   
   PATH: 103/705 218/700 229/426