On Sun Dec 27, 2020 at 1:01 PM CET, Martin Keegan wrote: > You posted on your gemlog some time ago that the experience of the use > of > TLS client certificates had raised issues that needed to be clarified in > the spec; I don't know whether these issues were satisfactorily > resolved. > > => > gemini://gemini.circumlunar.space/users/solderpunk/gemlog/tls-musings.gmi Thanks for the reminder! The SNI issue was addressed and this is now mentioned in the spec. The status codes related to client certificates were also simplified and "transient certificates" are no longer a first-class concept in the spec. I *think* those were the major issues that a little real-world experience revealed, and that they are both now resolved. > For my own part I'd like to know about timeouts. My server is coded with > some concern about DoS attacks such as the Slow Loris attack: > > => https://en.wikipedia.org/wiki/Slowloris_(computer_security) > > To mitigate this, the server shuts down any connection which hasn't > submitted a request after ten seconds. Pragmatically, client authors do > not need licence from the spec to implement a timeout, but it may be > useful to constrain when and how server implementors should/must/must > not > do this. Hmm. While I agree that neither servers nor clients really need permission to implement basic functionality like timeouts, this particular case *does* raise some questions. Currently it seems implicit in the spec that servers may not say anything until the client has finished sending a request. In principle, there are circumstances where a server might know what it wants to do before that point - an invalid URL (triggering a status code 59 response) might be detected before it is complete, and the n-th request within m seconds (triggering a status code 44 response) can be detected before *anything* is received. And, as you point out, reasonable defensive timeouts can occur before a request is complete. Is a server obligated to wait for a complete response before saying anything? Thanks for bringing this up, I'll think about it. Thoughts are welcome. Cheers, Solderpunk
---
Previous in thread (2 of 31): 🗣️ Martin Keegan (martin (a) no.ucant.org)
Next in thread (4 of 31): 🗣️ Petite Abeille (petite.abeille (a) gmail.com)