How to do "certificate pinning"?

What is the problem you are having with rclone?

Trying to do cert pinning but didn't find it in help and forum

A recent LEA attack on showed how vulnerable relying on signed certs is. So I wanted to additionally do cert pinning (only allow verified (by me) certs) but didn't find how to do it in docs and forum.

So how to do cert pinning with rclone?

Run the command 'rclone version' and share the full output of the command.

rclone v1.64.2

That's a fairly complex process as I'd imagine you'd have to change some source code if you wanted to do that.

I don't think you will find any docs related to it.

Dunno how PuTTY solved it but it shows an alert each time a cert changes.
I was hoping rclone could do sth like that by design.

This would definitely require some code changes. There is a proof of concept code here

Something like that could go in rclone's dialler and have a file of OK certificate hashes (rather like a known_hosts file for ssh) to read the hashes from.

If we are talking PuTTY then we are talking ssh which has its known_hosts file and you can use that mechanism today in rclone

  --sftp-known-hosts-file string            Optional path to known_hosts file
1 Like

Thank you Nick.

That fully achieved what I want and was a great thing to have for SSL/TLS as well, maybe you could put it on the wish list?
Unfortunately many cloud storage vendors only provide SSL/TLS access.

I think certificate pinning is less useful than it used to be for SSL/TLS certificates, as the majority of SSL certs are changed every 30 days or so. Certainly all of the ones I'm in charge of are.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.