On 2021-09-21, Omar Polo <op@omarpolo.com> wrote: > stack@tilde.club writes: > >> [...] >> >> I am using BearSSL (for its minimalism). I started with the sample >> provided, modified for the Gemini request. I keep getting stuck with >> error 62 (probably because I don't understand how to deal with TLS). >> I attempted to generate the CA boilerplate code, but there are some >> ominous hints that the code is HTTPS-specific. > > It's just a wild guess, I never touched BearSSL, but smell like a > possible failure in verifying the certificates. In geminispace the > usage of TOFU and self-signed certificates is way more popular than in > the web, and TLS libraries by defaults try to verify the certificate > against the installed CAs. For the record, on libtls is the function is > tls_config_insecure_noverifycert. I have a lot of experience with BearSSL, and I think this is a good guess. Error code 62 is BR_ERR_X509_NOT_TRUSTED, which means that the server is using a certificate that was not accepted by the X.509 engine you configured your client to use. stack, I'm assuming you were just using br_x509_minimal_context, which is configured with a set of CAs, one of which must be found in the certificate chain sent by servers. As Omar said, with gemini it is common practice to use self-signed certificates, which will need a different X.509 engine. For an example, check out Drew DeVault's gmni client, which uses BearSSL and implements an `x509_tofu_context`: https://git.sr.ht/~sircmpwn/gmni/tree/master/item/src/tofu.c
---