On Tue, Jun 9, 2020 at 10:09 PM Sean Conner <sean at conman.org> wrote: > > It was thus said that the Great Michael Lazar once stated: > > > > I have a CGI debug script setup here [2] if anybody wants to poke holes in my > > implementation. > > > > [1] https://tools.ietf.org/html/rfc3875#section-3.3 > > [2] gemini://mozz.us/cgi-bin/debug.cgi > I notice it doesn't set PATH_TRANSLATED I just didn't see a compelling reason to add it. > and it always sets TLS_CIPHER and TLS_VERSION. Why not? These are just as useful even if the client doesn't send a certificate. > And why HOSTNAME when you also have SERVER_NAME? I can't remember why I added this. I thought I saw HOSTNAME referenced somewhere... Some other differences in my server's CGI implementation (I used GLV as a reference implementation, so there are a lot of similarities too): TLS_CLIENT_HASH I'm using a base64-encoded representation of the hash. I like your notation of SHA256:<HEX> better, but it's too late now and I don't want to break backwards compatibility. TLS_CLIENT_SERIAL_NUMBER The client certificate serial number. I'm surprised that this isn't available in libtls. TLS_CLIENT_AUTHORISED Even though jetforce accepts unverified client certificates now, it will still check if the certificate is authorised anyway. This means both valid and trusted by the server's CA store. So this will be set to "1" for trusted and "0" for untrusted. I like this variable because it gives each CGI script the option to implement authentication however they want.
---
Previous in thread (17 of 52): 🗣️ Sean Conner (sean (a) conman.org)
Next in thread (19 of 52): 🗣️ Sean Conner (sean (a) conman.org)