Hi all, I tried the existing Dillo plugin but couldn't get it to work. Perhaps it got the job done at some iteration of the protocol. I've written my own according to the current spec for anyone interested: https://github.com/boomlinde/gemini.filter.dpi I've decided that in my client you explicitly have to pin invalid certificates and certificates with unknown authorities. On the first request to a site with a self-signed or invalid certificate, an error description will be displayed and you'll be given the option to pin it and continue anyway. After the certificate is pinned, you won't get a warning again until it changes. The certificate pins are stored in $HOME/.dillo/gemini/pinned as base64 encoded sha1 sums of the entire certificate chain used. For now it doesn't undersand client certificate status codes and will show them as it does errors (simply outputting the header in plain text). It will display an error on any encoding except utf-8 and us-ascii. Input works fine! The project has also yielded two interesting libraries: https://github.com/boomlinde/gemini is a protocol implementation, for now only a client, in Go. The client library makes it easy to set up a pin database and verifies connections by default. https://github.com/boomlinde/dpi implements a Dillo plugin server, in Go. It can be used to build both filter and server plugins. Neither of these libraries are really versioned yet. I want to dog-food the plugin for a while to weed any issues out before I will say that the APIs are stable. I hope someone else finds some use for this! -- Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200626/a3d8 9eff/attachment.sig>
Hi Philip, Nice work. I like the certificate pinning feature. The other plugin (dillo-gemini) works with the current protocol, except for client certificates or any server certificate management. Maybe you were missing a dependency. I added a link to yours in its readme. Regards, Charles L. On Fri, 26 Jun 2020 23:32:08 +0200 Philip Linde <linde.philip at gmail.com> wrote: > Hi all, > > I tried the existing Dillo plugin but couldn't get it to work. > Perhaps it got the job done at some iteration of the protocol. > I've written my own according to the current spec for anyone > interested: > > https://github.com/boomlinde/gemini.filter.dpi > > I've decided that in my client you explicitly have to pin invalid > certificates and certificates with unknown authorities. On the first > request to a site with a self-signed or invalid certificate, an error > description will be displayed and you'll be given the option to pin it > and continue anyway. After the certificate is pinned, you won't get a > warning again until it changes. > > The certificate pins are stored in $HOME/.dillo/gemini/pinned as > base64 encoded sha1 sums of the entire certificate chain used. > > For now it doesn't undersand client certificate status codes and will > show them as it does errors (simply outputting the header in plain > text). It will display an error on any encoding except utf-8 and > us-ascii. > > Input works fine! > > The project has also yielded two interesting libraries: > > https://github.com/boomlinde/gemini is a protocol implementation, for > now only a client, in Go. The client library makes it easy to set up a > pin database and verifies connections by default. > > https://github.com/boomlinde/dpi implements a Dillo plugin server, in > Go. It can be used to build both filter and server plugins. > > Neither of these libraries are really versioned yet. I want to > dog-food the plugin for a while to weed any issues out before I will > say that the APIs are stable. > > I hope someone else finds some use for this! > > -- > Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200626/24f4 ba06/attachment.sig>
> Hi Philip, > > Nice work. I like the certificate pinning feature. Thanks, Charles. I think your plugin better embodies the "100-line client" idea in at least having significantly less than a thousand lines of code, and there is high value in that. I will link back to it as well. > The other plugin (dillo-gemini) works with the current protocol, except > for client certificates or any server certificate management. Maybe you > were missing a dependency. I added a link to yours in its readme. I investigated a bit further and found that my client doesn't understand the -verify_quiet flag: $ openssl s_client -verify_quiet -quiet "example.horse:1965" unknown option -verify_quiet # ... $ openssl version LibreSSL 3.0.2 So my openssl is actually from the LibreSSL fork. OpenBSD does this, and (apparently) my desktop OS of choice, Void Linux. There seem to be further differences preventing a simple fix. I have systems running Debian with genuine OpenSSL so if I can work out the differences and improve compatibility with LibreSSL in a clean way, I'll send you a patch. Have a great weekend, Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200627/63e5 906e/attachment.sig>
---
Previous Thread: TLS certificate sizes in Geminispace
Next Thread: Illusory latency due to trailing slash redirects