Add cert-sha256 pinning and ss:// helper #48
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e51b1e5539
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
crates/slipstream-client/src/main.rs
Outdated
| if cert_sha256.is_some() && cert.is_some() { | ||
| tracing::warn!("Both cert and cert-sha256 provided; using cert-sha256"); | ||
| cert = None; | ||
| } |
There was a problem hiding this comment.
Because cert_sha256 is populated from SS_PLUGIN_OPTIONS when the CLI doesn’t pass --cert-sha256, this block clears cert whenever any hash is present. That means running the client with --cert while SS_PLUGIN_OPTIONS includes cert-sha256 cannot override the SIP003 pin even though the program advertises CLI precedence, and the client will pin the SIP003 hash instead, potentially failing to connect to the intended server or pinning the wrong leaf. Consider only letting cert-sha256 override --cert when it also came from the CLI, or ignore SIP003 cert-sha256 when --cert is explicitly provided.
Useful? React with 👍 / 👎.
1 participant
No description provided.