I've been working on upgrading TLS code for TLGS. One of the improvments is that besides OpenSSL, Botan can also be used as the underlying TLS library. In the process I discovered one thing. According to RFC, a TLS 1.3 server must send X509 v3 certificates unless explicitly negotiated.
RFC 8446 4.4.2.2
The certificate type MUST be X.509v3 [RFC5280], unless explicitly
negotiated otherwise (e.g., [RFC7250]).
Link to RFC 8446 section 4.4.2.2
And Botan cares about this. It will not allow v1 certificates to pass the handshake.
During a test run of TLGS with Botan. I constantly get Botan complaining about not getting a v3 certificate. Please upgrade your capsule to be compliant with the RFC. TLGS will still be running with OpenSSL in the future, so it's probably not a big deal. But it's still, please comply with the RFC.
===
Also, who is abusing TLGS' search API? I keep no logs but I still keep erros. I'm getting a lot of these:
Someone sending a heck of a lot of requests with weird query strings.
I don't know who is doing this or where it's coming from. But please stop. I'll start sending 44 Slow Down responses if you keep sending requests like this.
