💾 Archived View for thelambdalab.xyz › phlog › 2020-06-22-Elpher-client-certificates.txt captured on 2020-09-24 at 01:05:53.

View Raw

More Information

-=-=-=-=-=-=-

Elpher client certificates
--------------------------

Prelude:

I'm tempted to apologize once more for adding yet _another_
Elpher-related post to this phlog.  It's difficult to avoid though, as
this is my main platform for announcing major changes.  I've been
considering using tags or something to split the entries into
elpher/non-elpher categories, so that people not interested in this
seemingly never-ending tirade of Elpher updates can leave early with
their sanity and temper intact.

So, to those people: be warned, this is another of "those" posts.

-=-=-=-=-

In a recent [1,2] *log entry, I lamented being unable to get Elpher to
use client certificates---which are an integral component of the
Gemini protocol---in establishing TLS connections using the native
Emacs network functions.  Several people have subsequently pointed out
that this limitation seems to be lifted by Emacs 27, whenever that
gets released. While encouraging, the Emacs release schedule is a
slow, methodical, and mysterious target of numerologists [3], and thus
it seemed the present situation was likely to remain in place for a
while longer.

On the weekend though, I was fiddling around with the networking code
in an effort to (a) consolidate the network code related to gopher,
gemini and finger into one method, and to (b) solve a handful of minor
bugs relating to conflicts between forcing use of IPv4 and server name
identification (SNI) for TLS connections.  To solve these issues I
wound up needing to switch out the use of the `open-network-stream`
procedure with the lower-level `make-network-process` function, as
this allows directly selecting the IP protocol version and specifying
the host name to use for SNI.  (For anybody interested, previously
forcing IPv4, when requested, was achieved using an ugly hack
involving performing a separate DNS lookup to retrieve the IPv4
address of a server, then using this as the host in the
open-network-stream call.)

On a whim I then decided to try attaching my astrobotany [4] TLS
client certificates to the make-network-process call and connect to
the astrobotany server...

... and bam, I was looking at a dead virtual plant.

I don't think I will ever be as happy to see virtual botanical tragedy
as I was at that moment!

So, with this discovery, Elpher v2.9.0 supports client certificates.
I've tried to make the interface as frictionless as possible, but of
course I'm open to suggestions.  The info manual (installed
automatically when you install Elpher from MELPA) goes through the
gory details of this, but I'll try to quickly summarize here.


  menu in the minibuffer. Pressing "?" presents a description of the
  available options, which are "t" to create and use a "throwaway"
  single-use certificate, "p" to create a permanent (or use an
  existing one), and "a" to abort the connection.


  is part of OpenSSL and is probably already installed on your
  machine.  If it's not, you'll need to install it.  If it is
  installed but the command line tool is not in your PATH (whatever
  that means on your system) you can specify the location of the tool
  by customizing the elpher-openssl-command variable.


  are deleted when the certificate is "forgotten", as described below.
  

  `elpher-certificate-directory', which by default is the directory
  "elpher-certificates/" inside the emacs configuration directory.


  choosing a name which does not correspond to an existing certificate
  will cause a new one to be created and added to that directory.


  certificates, so just hit TAB to see a list of all available
  certificates (really just the contents of the
  `elpher-certificate-directory' directory.


  establish a connection to a host other than the one for which the
  certificate was created).

That's pretty much it!  It's the initial release, so there may be some
rough edges.  (One that I already know about but haven't addressed yet
is that the "certificate name" you choose has to be a valid filename -
there's no sanitization yet.)  If you encounter any others please let
me know either by email or via the feedback button on the Elpher
project page.

Remember to water those plants!!

---
[1]: gemini://thelambdalab.xyz/phlog/2020-05-31-Inanity-3:-Virtual-Gardening.txt
[2]: gopher://thelambdalab.xyz/0/phlog/2020-05-31-Inanity-3:-Virtual-Gardening.txt
[3]: https://www.emacswiki.org/emacs/EmacsReleaseDates
[4]: gemini://astrobotany.mozz.us/