💾 Archived View for rawtext.club › ~sloum › geminilist › 001591.gmi captured on 2020-09-24 at 01:46:47. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
solderpunk solderpunk at SDF.ORG
Fri Jun 12 17:43:25 BST 2020
- - - - - - - - - - - - - - - - - - -
On Fri, Jun 12, 2020 at 06:39:22PM +0200, tastytea wrote:
If I interpret the output from `openssl s_client`¹ correctly, the CN of
the certificate is set to “Matthew Graybosch”, not a “tanelorn.city”,
as it is custom for HTTPS. However, while the specification states in
4.2 that “Clients can validate TLS connections however they like”, it
recommends a “lightweight "TOFU" certificate-pinning system” without
mentioning hostname validation.
I guess various best practices for non-conventional certificatevalidation should be hashed out in, well, the best practices doc, oreven a dedicated document.
For what it's worth, AV-98 expects either the Subject CN or one of theSubjectAlternativeNames to match the hostname in the URL it's trying tofetch and will complain otherwise. I can visit tanelorn.city just fine,so I guess there's a valid SAN that perhaps Bombadillo isn't seeing?
Cheers,Solderpunk