Certificate verification is awkward in poezio. From what I understand we're keeping track of the private key's fingerprint? And I don't know how we ensure anything about the trustchain, if we do.

When things don't match our expectations we show a dialog with this fingerprint, that doesn't correspond to something that is easily retrievable and seems to confuse users (me included).

In the meantime, this has been given in the channel a few years ago to try and get close to that fingerprint. (See logs at 20171009T09:53:33Z).

echo | openssl s_client -connect your.server:5222 -starttls xmpp | openssl x509 -noout -in certificate.pem -pubkey | openssl asn1parse -noout -inform pem -out public.key; openssl dgst -sha256 -binary public.key | openssl enc -base64