feat: custom TLS certificate verification

Cargo.lock

@@ -2654,7 +2654,7 @@ dependencies = [
  "hyper",
  "libc",
  "pin-project-lite",
- "socket2 0.6.0",
+ "socket2 0.5.9",
  "tokio",
  "tower-service",
  "tracing",
@@ -2860,9 +2860,9 @@ dependencies = [
 
 [[package]]
 name = "image"
-version = "0.25.10"
+version = "0.25.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85ab80394333c02fe689eaf900ab500fbd0c2213da414687ebf995a65d5a6104"
+checksum = "e6506c6c10786659413faa717ceebcb8f70731c0a60cbae39795fdf114519c1a"
 dependencies = [
  "bytemuck",
  "byteorder-lite",
@@ -3483,9 +3483,9 @@ dependencies = [
 
 [[package]]
 name = "moxcms"
-version = "0.8.1"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb85c154ba489f01b25c0d36ae69a87e4a1c73a72631fc6c0eb6dde34a73e44b"
+checksum = "ddd32fa8935aeadb8a8a6b6b351e40225570a37c43de67690383d87ef170cd08"
 dependencies = [
  "num-traits",
  "pxfm",
@@ -4615,9 +4615,9 @@ dependencies = [
 
 [[package]]
 name = "proptest"
-version = "1.11.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b45fcc2344c680f5025fe57779faef368840d0bd1f42f216291f0dc4ace4744"
+checksum = "37566cb3fdacef14c0737f9546df7cfeadbfbc9fef10991038bf5015d0c80532"
 dependencies = [
  "bitflags 2.11.0",
  "num-traits",

src/blob.rs

@@ -10,8 +10,8 @@ use anyhow::{Context as _, Result, ensure, format_err};
 use base64::Engine as _;
 use futures::StreamExt;
 use image::ImageReader;
+use image::codecs::jpeg::JpegEncoder;
 use image::{DynamicImage, GenericImage, GenericImageView, ImageFormat, Pixel, Rgba};
-use image::{codecs::jpeg::JpegEncoder, metadata::Orientation};
 use num_traits::FromPrimitive;
 use tokio::{fs, task};
 use tokio_stream::wrappers::ReadDirStream;
@@ -362,10 +362,7 @@ impl<'a> BlobObject<'a> {
                 return Ok(name);
             }
             let mut img = imgreader.decode().context("image decode failure")?;
-            let orientation = exif
-                .as_ref()
-                .map(|exif| exif_orientation(exif, context))
-                .unwrap_or(Orientation::NoTransforms);
+            let orientation = exif.as_ref().map(|exif| exif_orientation(exif, context));
             let mut encoded = Vec::new();
 
             if *vt == Viewtype::Sticker {
@@ -384,7 +381,13 @@ impl<'a> BlobObject<'a> {
                     return Ok(name);
                 }
             }
-            img.apply_orientation(orientation);
+
+            img = match orientation {
+                Some(90) => img.rotate90(),
+                Some(180) => img.rotate180(),
+                Some(270) => img.rotate270(),
+                _ => img,
+            };
 
             // max_wh is the maximum image width and height, i.e. the resolution-limit.
             // target_wh target-resolution for resizing the image.
@@ -548,17 +551,18 @@ fn image_metadata(file: &std::fs::File) -> Result<(u64, Option<exif::Exif>)> {
     Ok((len, exif))
 }
 
-fn exif_orientation(exif: &exif::Exif, context: &Context) -> Orientation {
-    if let Some(orientation) = exif.get_field(exif::Tag::Orientation, exif::In::PRIMARY)
-        && let Some(val) = orientation.value.get_uint(0)
-        && let Ok(val) = TryInto::<u8>::try_into(val)
-    {
-        return Orientation::from_exif(val).unwrap_or({
-            warn!(context, "Exif orientation value ignored: {val:?}.");
-            Orientation::NoTransforms
-        });
+fn exif_orientation(exif: &exif::Exif, context: &Context) -> i32 {
+    if let Some(orientation) = exif.get_field(exif::Tag::Orientation, exif::In::PRIMARY) {
+        // possible orientation values are described at http://sylvana.net/jpegcrop/exif_orientation.html
+        // we only use rotation, in practise, flipping is not used.
+        match orientation.value.get_uint(0) {
+            Some(3) => return 180,
+            Some(6) => return 90,
+            Some(8) => return 270,
+            other => warn!(context, "Exif orientation value ignored: {other:?}."),
+        }
     }
-    Orientation::NoTransforms
+    0
 }
 
 /// All files in the blobdir.

src/blob/blob_tests.rs

@@ -305,7 +305,7 @@ async fn test_recode_image_2() {
         has_exif: true,
         original_width: 2000,
         original_height: 1800,
-        orientation: Some(Orientation::Rotate270),
+        orientation: 270,
         compressed_width: 1800,
         compressed_height: 2000,
         ..Default::default()
@@ -336,28 +336,6 @@ async fn test_recode_image_2() {
     assert_correct_rotation(&img_rotated);
 }
 
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_recode_image_vflipped() {
-    let bytes = include_bytes!("../../test-data/image/rectangle200x180-vflipped.jpg");
-    let img_rotated = SendImageCheckMediaquality {
-        viewtype: Viewtype::Image,
-        media_quality_config: "0",
-        bytes,
-        extension: "jpg",
-        has_exif: true,
-        original_width: 200,
-        original_height: 180,
-        orientation: Some(Orientation::FlipVertical),
-        compressed_width: 200,
-        compressed_height: 180,
-        ..Default::default()
-    }
-    .test()
-    .await
-    .unwrap();
-    assert_correct_rotation(&img_rotated);
-}
-
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn test_recode_image_bad_exif() {
     // `exiftool` reports for this file "Bad offset for IFD0 XResolution", still Exif must be
@@ -552,7 +530,7 @@ struct SendImageCheckMediaquality<'a> {
     pub(crate) has_exif: bool,
     pub(crate) original_width: u32,
     pub(crate) original_height: u32,
-    pub(crate) orientation: Option<Orientation>,
+    pub(crate) orientation: i32,
     pub(crate) res_viewtype: Option<Viewtype>,
     pub(crate) compressed_width: u32,
     pub(crate) compressed_height: u32,
@@ -568,7 +546,7 @@ impl SendImageCheckMediaquality<'_> {
         let has_exif = self.has_exif;
         let original_width = self.original_width;
         let original_height = self.original_height;
-        let orientation = self.orientation.unwrap_or(Orientation::NoTransforms);
+        let orientation = self.orientation;
         let res_viewtype = self.res_viewtype.unwrap_or(Viewtype::Image);
         let compressed_width = self.compressed_width;
         let compressed_height = self.compressed_height;

src/context.rs

@@ -25,7 +25,7 @@ use crate::key::self_fingerprint;
 use crate::log::warn;
 use crate::logged_debug_assert;
 use crate::message::{self, MessageState, MsgId};
-use crate::net::tls::TlsSessionStore;
+use crate::net::tls::{SpkiHashStore, TlsSessionStore};
 use crate::peer_channels::Iroh;
 use crate::push::PushSubscriber;
 use crate::quota::QuotaInfo;
@@ -308,6 +308,13 @@ pub struct InnerContext {
     /// TLS session resumption cache.
     pub(crate) tls_session_store: TlsSessionStore,
 
+    /// Store for TLS SPKI hashes.
+    ///
+    /// Used to remember public keys
+    /// of TLS certificates to accept them
+    /// even after they expire.
+    pub(crate) spki_hash_store: SpkiHashStore,
+
     /// Iroh for realtime peer channels.
     pub(crate) iroh: Arc<RwLock<Option<Iroh>>>,
 
@@ -511,6 +518,7 @@ impl Context {
             push_subscriber,
             push_subscribed: AtomicBool::new(false),
             tls_session_store: TlsSessionStore::new(),
+            spki_hash_store: SpkiHashStore::new(),
             iroh: Arc::new(RwLock::new(None)),
             self_fingerprint: OnceLock::new(),
             self_public_key: Mutex::new(None),

src/imap/client.rs

@@ -220,6 +220,8 @@ impl Client {
             alpn(addr.port()),
             logging_stream,
             &context.tls_session_store,
+            &context.spki_hash_store,
+            &context.sql,
         )
         .await?;
         let buffered_stream = BufWriter::new(tls_stream);
@@ -282,6 +284,8 @@ impl Client {
             "",
             tcp_stream,
             &context.tls_session_store,
+            &context.spki_hash_store,
+            &context.sql,
         )
         .await
         .context("STARTTLS upgrade failed")?;
@@ -310,6 +314,8 @@ impl Client {
             alpn(port),
             proxy_stream,
             &context.tls_session_store,
+            &context.spki_hash_store,
+            &context.sql,
         )
         .await?;
         let buffered_stream = BufWriter::new(tls_stream);
@@ -373,6 +379,8 @@ impl Client {
             "",
             proxy_stream,
             &context.tls_session_store,
+            &context.spki_hash_store,
+            &context.sql,
         )
         .await
         .context("STARTTLS upgrade failed")?;

src/net.rs

@@ -12,7 +12,7 @@ use tokio_io_timeout::TimeoutStream;
 
 use crate::context::Context;
 use crate::net::session::SessionStream;
-use crate::net::tls::TlsSessionStore;
+use crate::net::tls::{SpkiHashStore, TlsSessionStore};
 use crate::sql::Sql;
 use crate::tools::time;
 
@@ -130,6 +130,8 @@ pub(crate) async fn connect_tls_inner(
     strict_tls: bool,
     alpn: &str,
     tls_session_store: &TlsSessionStore,
+    spki_hash_store: &SpkiHashStore,
+    sql: &Sql,
 ) -> Result<impl SessionStream + 'static> {
     let use_sni = true;
     let tcp_stream = connect_tcp_inner(addr).await?;
@@ -141,6 +143,8 @@ pub(crate) async fn connect_tls_inner(
         alpn,
         tcp_stream,
         tls_session_store,
+        spki_hash_store,
+        sql,
     )
     .await?;
     Ok(tls_stream)

src/net/http.rs

@@ -87,6 +87,8 @@ where
                     "",
                     proxy_stream,
                     &context.tls_session_store,
+                    &context.spki_hash_store,
+                    &context.sql,
                 )
                 .await?;
                 Box::new(tls_stream)
@@ -99,6 +101,8 @@ where
                     "",
                     tcp_stream,
                     &context.tls_session_store,
+                    &context.spki_hash_store,
+                    &context.sql,
                 )
                 .await?;
                 Box::new(tls_stream)

src/net/proxy.rs

@@ -439,6 +439,8 @@ impl ProxyConfig {
                     "",
                     tcp_stream,
                     &context.tls_session_store,
+                    &context.spki_hash_store,
+                    &context.sql,
                 )
                 .await?;
                 let auth = if let Some((username, password)) = &https_config.user_password {

src/net/tls.rs

@@ -6,13 +6,19 @@ use std::sync::Arc;
 use anyhow::Result;
 
 use crate::net::session::SessionStream;
+use crate::sql::Sql;
 
 use tokio_rustls::rustls;
 use tokio_rustls::rustls::client::ClientSessionStore;
+use tokio_rustls::rustls::server::ParsedCertificate;
 
 mod danger;
-use danger::NoCertificateVerification;
+use danger::CustomCertificateVerifier;
 
+mod spki;
+pub use spki::SpkiHashStore;
+
+#[expect(clippy::too_many_arguments)]
 pub async fn wrap_tls<'a>(
     strict_tls: bool,
     hostname: &str,
@@ -21,10 +27,21 @@ pub async fn wrap_tls<'a>(
     alpn: &str,
     stream: impl SessionStream + 'static,
     tls_session_store: &TlsSessionStore,
+    spki_hash_store: &SpkiHashStore,
+    sql: &Sql,
 ) -> Result<impl SessionStream + 'a> {
     if strict_tls {
-        let tls_stream =
-            wrap_rustls(hostname, port, use_sni, alpn, stream, tls_session_store).await?;
+        let tls_stream = wrap_rustls(
+            hostname,
+            port,
+            use_sni,
+            alpn,
+            stream,
+            tls_session_store,
+            spki_hash_store,
+            sql,
+        )
+        .await?;
         let boxed_stream: Box<dyn SessionStream> = Box::new(tls_stream);
         Ok(boxed_stream)
     } else {
@@ -94,6 +111,7 @@ impl TlsSessionStore {
     }
 }
 
+#[expect(clippy::too_many_arguments)]
 pub async fn wrap_rustls<'a>(
     hostname: &str,
     port: u16,
@@ -101,6 +119,8 @@ pub async fn wrap_rustls<'a>(
     alpn: &str,
     stream: impl SessionStream + 'a,
     tls_session_store: &TlsSessionStore,
+    spki_hash_store: &SpkiHashStore,
+    sql: &Sql,
 ) -> Result<impl SessionStream + 'a> {
     let mut root_cert_store = rustls::RootCertStore::empty();
     root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
@@ -127,20 +147,27 @@ pub async fn wrap_rustls<'a>(
     config.resumption = resumption;
     config.enable_sni = use_sni;
 
-    // Do not verify certificates for hostnames starting with `_`.
-    // They are used for servers with self-signed certificates, e.g. for local testing.
-    // Hostnames starting with `_` can have only self-signed TLS certificates or wildcard certificates.
-    // It is not possible to get valid non-wildcard TLS certificates because CA/Browser Forum requirements
-    // explicitly state that domains should start with a letter, digit or hyphen:
-    // https://github.com/cabforum/servercert/blob/24f38fd4765e019db8bb1a8c56bf63c7115ce0b0/docs/BR.md
-    if hostname.starts_with("_") {
-        config
-            .dangerous()
-            .set_certificate_verifier(Arc::new(NoCertificateVerification::new()));
-    }
+    config
+        .dangerous()
+        .set_certificate_verifier(Arc::new(CustomCertificateVerifier::new(
+            spki_hash_store.get_spki_hash(hostname, sql).await?,
+        )));
 
     let tls = tokio_rustls::TlsConnector::from(Arc::new(config));
     let name = tokio_rustls::rustls::pki_types::ServerName::try_from(hostname)?.to_owned();
     let tls_stream = tls.connect(name, stream).await?;
+
+    // Successfully connected.
+    // Remember SPKI hash to accept it later if certificate expires.
+    let (_io, client_connection) = tls_stream.get_ref();
+    if let Some(end_entity) = client_connection
+        .peer_certificates()
+        .and_then(|certs| certs.first())
+    {
+        let parsed_certificate = ParsedCertificate::try_from(end_entity)?;
+        let spki = parsed_certificate.subject_public_key_info();
+        spki_hash_store.save_spki(hostname, &spki, sql).await?;
+    }
+
     Ok(tls_stream)
 }

src/net/tls/danger.rs

@@ -1,26 +1,85 @@
-//! Dangerous TLS implementation of accepting invalid certificates for Rustls.
+//! Custom TLS verification.
+//!
+//! We want to accept expired certificates.
 
+use rustls::RootCertStore;
+use rustls::client::{verify_server_cert_signed_by_trust_anchor, verify_server_name};
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
+use rustls::server::ParsedCertificate;
 use tokio_rustls::rustls;
 
-#[derive(Debug)]
-pub(super) struct NoCertificateVerification();
+use crate::net::tls::spki::spki_hash;
 
-impl NoCertificateVerification {
-    pub(super) fn new() -> Self {
-        Self()
+#[derive(Debug)]
+pub(super) struct CustomCertificateVerifier {
+    /// Root certificates.
+    root_cert_store: RootCertStore,
+
+    /// Expected SPKI hash as a base64 of SHA-256.
+    spki_hash: Option<String>,
+}
+
+impl CustomCertificateVerifier {
+    pub(super) fn new(spki_hash: Option<String>) -> Self {
+        let mut root_cert_store = rustls::RootCertStore::empty();
+        root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+        Self {
+            root_cert_store,
+            spki_hash,
+        }
     }
 }
 
-impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
+impl rustls::client::danger::ServerCertVerifier for CustomCertificateVerifier {
     fn verify_server_cert(
         &self,
-        _end_entity: &CertificateDer<'_>,
-        _intermediates: &[CertificateDer<'_>],
-        _server_name: &ServerName<'_>,
+        end_entity: &CertificateDer<'_>,
+        intermediates: &[CertificateDer<'_>],
+        server_name: &ServerName<'_>,
         _ocsp_response: &[u8],
-        _now: UnixTime,
+        now: UnixTime,
     ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+        let parsed_certificate = ParsedCertificate::try_from(end_entity)?;
+
+        let spki = parsed_certificate.subject_public_key_info();
+
+        let provider = rustls::crypto::ring::default_provider();
+
+        if let ServerName::DnsName(dns_name) = server_name
+            && dns_name.as_ref().starts_with("_")
+        {
+            // Do not verify certificates for hostnames starting with `_`.
+            // They are used for servers with self-signed certificates, e.g. for local testing.
+            // Hostnames starting with `_` can have only self-signed TLS certificates or wildcard certificates.
+            // It is not possible to get valid non-wildcard TLS certificates because CA/Browser Forum requirements
+            // explicitly state that domains should start with a letter, digit or hyphen:
+            // https://github.com/cabforum/servercert/blob/24f38fd4765e019db8bb1a8c56bf63c7115ce0b0/docs/BR.md
+        } else if let Some(hash) = &self.spki_hash
+            && spki_hash(&spki) == *hash
+        {
+            // Last time we successfully connected to this hostname with TLS checks,
+            // SPKI had this hash.
+            // It does not matter if certificate has now expired.
+        } else {
+            // verify_server_cert_signed_by_trust_anchor does no revocation checking:
+            // <https://docs.rs/rustls/0.23.37/rustls/client/fn.verify_server_cert_signed_by_trust_anchor.html>
+            // We don't do it either.
+            verify_server_cert_signed_by_trust_anchor(
+                &parsed_certificate,
+                &self.root_cert_store,
+                intermediates,
+                now,
+                provider.signature_verification_algorithms.all,
+            )?;
+        }
+
+        // Verify server name unconditionally.
+        //
+        // We do this even for self-signed certificates when hostname starts with `_`
+        // so we don't try to connect to captive portals
+        // and fail on MITM certificates if they are generated once
+        // and reused for all hostnames.
+        verify_server_name(&parsed_certificate, server_name)?;
         Ok(rustls::client::danger::ServerCertVerified::assertion())
     }
 

src/net/tls/spki.rs

@@ -0,0 +1,92 @@
+//! SPKI hash storage.
+//!
+//! We store hashes of Subject Public Key Info from TLS certificates
+//! after successful connection to allow connecting when
+//! server certificate expires as long as the key is not changed.
+
+use std::collections::BTreeMap;
+
+use anyhow::Result;
+use base64::Engine as _;
+use parking_lot::RwLock;
+use sha2::{Digest, Sha256};
+use tokio_rustls::rustls::pki_types::SubjectPublicKeyInfoDer;
+
+use crate::sql::Sql;
+
+/// Calculates Subject Public Key Info SHA-256 hash and returns it as base64.
+///
+/// This is the same format as used in <https://www.rfc-editor.org/rfc/rfc7469>.
+/// You can calculate the same hash for any remote host with
+/// ```sh
+/// openssl s_client -connect "$HOST:993" -servername "$HOST" </dev/null 2>/dev/null |
+/// openssl x509 -pubkey -noout |
+/// openssl pkey -pubin -outform der |
+/// openssl dgst -sha256 -binary |
+/// openssl enc -base64
+/// ```
+pub fn spki_hash(spki: &SubjectPublicKeyInfoDer) -> String {
+    let spki_hash = Sha256::digest(spki);
+    base64::engine::general_purpose::STANDARD.encode(spki_hash)
+}
+
+/// Write-through cache for SPKI hashes.
+#[derive(Debug)]
+pub struct SpkiHashStore {
+    /// Map from hostnames to base64 of SHA-256 hashes.
+    pub hash_store: RwLock<BTreeMap<String, String>>,
+}
+
+impl SpkiHashStore {
+    pub fn new() -> Self {
+        Self {
+            hash_store: RwLock::new(BTreeMap::new()),
+        }
+    }
+
+    /// Returns base64 of SPKI hash if we have previously successfully connected to given hostname.
+    pub async fn get_spki_hash(&self, hostname: &str, sql: &Sql) -> Result<Option<String>> {
+        if let Some(hash) = self.hash_store.read().get(hostname).cloned() {
+            return Ok(Some(hash));
+        }
+
+        match sql
+            .query_row_optional(
+                "SELECT spki_hash FROM tls_spki WHERE host=?",
+                (hostname,),
+                |row| {
+                    let spki_hash: String = row.get(0)?;
+                    Ok(spki_hash)
+                },
+            )
+            .await?
+        {
+            Some(hash) => {
+                self.hash_store
+                    .write()
+                    .insert(hostname.to_string(), hash.clone());
+                Ok(Some(hash))
+            }
+            None => Ok(None),
+        }
+    }
+
+    /// Saves SPKI hash after successful connection.
+    pub async fn save_spki(
+        &self,
+        hostname: &str,
+        spki: &SubjectPublicKeyInfoDer<'_>,
+        sql: &Sql,
+    ) -> Result<()> {
+        let hash = spki_hash(spki);
+        self.hash_store
+            .write()
+            .insert(hostname.to_string(), hash.clone());
+        sql.execute(
+            "INSERT OR REPLACE INTO tls_spki (host, spki_hash) VALUES (?, ?)",
+            (hostname, hash),
+        )
+        .await?;
+        Ok(())
+    }
+}

src/receive_imf/receive_imf_tests.rs

@@ -5363,46 +5363,6 @@ async fn test_outgoing_unencrypted_chat_assignment() {
     assert_eq!(received.chat_id, chat.id);
 }
 
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_incoming_reply_with_date_in_past() -> Result<()> {
-    let mut tcm = TestContextManager::new();
-    let alice = &tcm.alice().await;
-
-    let msg0 = receive_imf(
-        alice,
-        b"From: bob@example.net\n\
-          To: alice@example.org\n\
-          Message-ID: <message@example.net>\n\
-          Date: Sun, 22 Mar 2020 22:22:22 +0000\n\
-          \n\
-          This device has an atomic clock\n",
-        false,
-    )
-    .await?
-    .unwrap();
-
-    let msg1 = receive_imf(
-        alice,
-        b"From: bob@example.net\n\
-          To: alice@example.org\n\
-          Message-ID: <message1@example.net>\n\
-          In-Reply-To: <message@example.net>\n\
-          Date: Sun, 22 Mar 2020 11:11:11 +0000\n\
-          \n\
-          And this one has a wind-up clock\n",
-        false,
-    )
-    .await?
-    .unwrap();
-    assert_eq!(msg1.chat_id, msg0.chat_id);
-    assert!(msg1.sort_timestamp >= msg0.sort_timestamp);
-    assert_eq!(
-        alice.get_last_msg_in(msg0.chat_id).await.id,
-        *msg1.msg_ids.last().unwrap()
-    );
-    Ok(())
-}
-
 /// Tests Bob receiving a message from Alice
 /// in a new group she just created
 /// with only Alice and Bob.

src/smtp/connect.rs

@@ -11,11 +11,12 @@ use crate::log::warn;
 use crate::net::dns::{lookup_host_with_cache, update_connect_timestamp};
 use crate::net::proxy::ProxyConfig;
 use crate::net::session::SessionBufStream;
-use crate::net::tls::{TlsSessionStore, wrap_tls};
+use crate::net::tls::{SpkiHashStore, TlsSessionStore, wrap_tls};
 use crate::net::{
     connect_tcp_inner, connect_tls_inner, run_connection_attempts, update_connection_history,
 };
 use crate::oauth2::get_oauth2_access_token;
+use crate::sql::Sql;
 use crate::tools::time;
 use crate::transport::ConnectionCandidate;
 use crate::transport::ConnectionSecurity;
@@ -111,10 +112,26 @@ async fn connection_attempt(
     );
     let res = match security {
         ConnectionSecurity::Tls => {
-            connect_secure(resolved_addr, host, strict_tls, &context.tls_session_store).await
+            connect_secure(
+                resolved_addr,
+                host,
+                strict_tls,
+                &context.tls_session_store,
+                &context.spki_hash_store,
+                &context.sql,
+            )
+            .await
         }
         ConnectionSecurity::Starttls => {
-            connect_starttls(resolved_addr, host, strict_tls, &context.tls_session_store).await
+            connect_starttls(
+                resolved_addr,
+                host,
+                strict_tls,
+                &context.tls_session_store,
+                &context.spki_hash_store,
+                &context.sql,
+            )
+            .await
         }
         ConnectionSecurity::Plain => connect_insecure(resolved_addr).await,
     };
@@ -240,6 +257,8 @@ async fn connect_secure_proxy(
         alpn(port),
         proxy_stream,
         &context.tls_session_store,
+        &context.spki_hash_store,
+        &context.sql,
     )
     .await?;
     let mut buffered_stream = BufStream::new(tls_stream);
@@ -273,6 +292,8 @@ async fn connect_starttls_proxy(
         "",
         tcp_stream,
         &context.tls_session_store,
+        &context.spki_hash_store,
+        &context.sql,
     )
     .await
     .context("STARTTLS upgrade failed")?;
@@ -299,6 +320,8 @@ async fn connect_secure(
     hostname: &str,
     strict_tls: bool,
     tls_session_store: &TlsSessionStore,
+    spki_hash_store: &SpkiHashStore,
+    sql: &Sql,
 ) -> Result<Box<dyn SessionBufStream>> {
     let tls_stream = connect_tls_inner(
         addr,
@@ -306,6 +329,8 @@ async fn connect_secure(
         strict_tls,
         alpn(addr.port()),
         tls_session_store,
+        spki_hash_store,
+        sql,
     )
     .await?;
     let mut buffered_stream = BufStream::new(tls_stream);
@@ -319,6 +344,8 @@ async fn connect_starttls(
     host: &str,
     strict_tls: bool,
     tls_session_store: &TlsSessionStore,
+    spki_hash_store: &SpkiHashStore,
+    sql: &Sql,
 ) -> Result<Box<dyn SessionBufStream>> {
     let use_sni = false;
     let tcp_stream = connect_tcp_inner(addr).await?;
@@ -336,6 +363,8 @@ async fn connect_starttls(
         "",
         tcp_stream,
         tls_session_store,
+        spki_hash_store,
+        sql,
     )
     .await
     .context("STARTTLS upgrade failed")?;

src/sql/migrations.rs

@@ -2316,6 +2316,18 @@ ALTER TABLE contacts ADD COLUMN name_normalized TEXT;
         .await?;
     }
 
+    inc_and_check(&mut migration_version, 150)?;
+    if dbversion < migration_version {
+        sql.execute_migration(
+            "CREATE TABLE tls_spki (
+               host TEXT NOT NULL UNIQUE,
+               spki_hash TEXT NOT NULL -- base64 of SPKI SHA-256 hash
+             ) STRICT",
+            migration_version,
+        )
+        .await?;
+    }
+
     let new_version = sql
         .get_raw_config_int(VERSION_CFG)
         .await?