💾 Archived View for thelambdalab.xyz › phlog › 2020-06-22-Elpher-client-certificates.txt captured on 2020-09-24 at 01:05:53.
-=-=-=-=-=-=-
Elpher client certificates -------------------------- Prelude: I'm tempted to apologize once more for adding yet _another_ Elpher-related post to this phlog. It's difficult to avoid though, as this is my main platform for announcing major changes. I've been considering using tags or something to split the entries into elpher/non-elpher categories, so that people not interested in this seemingly never-ending tirade of Elpher updates can leave early with their sanity and temper intact. So, to those people: be warned, this is another of "those" posts. -=-=-=-=- In a recent [1,2] *log entry, I lamented being unable to get Elpher to use client certificates---which are an integral component of the Gemini protocol---in establishing TLS connections using the native Emacs network functions. Several people have subsequently pointed out that this limitation seems to be lifted by Emacs 27, whenever that gets released. While encouraging, the Emacs release schedule is a slow, methodical, and mysterious target of numerologists [3], and thus it seemed the present situation was likely to remain in place for a while longer. On the weekend though, I was fiddling around with the networking code in an effort to (a) consolidate the network code related to gopher, gemini and finger into one method, and to (b) solve a handful of minor bugs relating to conflicts between forcing use of IPv4 and server name identification (SNI) for TLS connections. To solve these issues I wound up needing to switch out the use of the `open-network-stream` procedure with the lower-level `make-network-process` function, as this allows directly selecting the IP protocol version and specifying the host name to use for SNI. (For anybody interested, previously forcing IPv4, when requested, was achieved using an ugly hack involving performing a separate DNS lookup to retrieve the IPv4 address of a server, then using this as the host in the open-network-stream call.) On a whim I then decided to try attaching my astrobotany [4] TLS client certificates to the make-network-process call and connect to the astrobotany server... ... and bam, I was looking at a dead virtual plant. I don't think I will ever be as happy to see virtual botanical tragedy as I was at that moment! So, with this discovery, Elpher v2.9.0 supports client certificates. I've tried to make the interface as frictionless as possible, but of course I'm open to suggestions. The info manual (installed automatically when you install Elpher from MELPA) goes through the gory details of this, but I'll try to quickly summarize here.