💾 Archived View for rawtext.club › ~sloum › geminilist › 001590.gmi captured on 2020-09-24 at 01:46:51. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
tastytea tastytea+gemini at tastytea.de
Fri Jun 12 17:39:22 BST 2020
- - - - - - - - - - - - - - - - - - -
On 2020-06-12 11:36-0400 Matthew Graybosch <hello at matthewgraybosch.com>wrote:
On Fri, 12 Jun 2020 15:08:36 +0000
colecmac at protonmail.com wrote:
Amen. Happy to have another server!
Thanks.
However, in Bombadillo I get the error "Cert hostname does not
match". Make sure you're serving up the right certificate!
Sorry to hear that!
I just downloaded Bombadillo so I could see for myself, and checked my
Gemserv config on kanajana. As far as I can tell my config is OK and
I'm using the correct cert for each hostname, but the problem might be
that kanajana isn't only serving tanelorn.city but demifiend.org and
starbreaker.org as well.
I'm not sure what to do about it, though since all three sites are
accessible using Castor and bollux.
If I interpret the output from `openssl s_client`¹ correctly, the CN ofthe certificate is set to “Matthew Graybosch”, not a “tanelorn.city”,as it is custom for HTTPS. However, while the specification states in4.2 that “Clients can validate TLS connections however they like”, itrecommends a “lightweight "TOFU" certificate-pinning system” withoutmentioning hostname validation.
Kristall and elpher also show no error, by the way.
Kind regards, tastytea
¹ echo -e 'gemini://tanelorn.city\r\n\r\n' \ | openssl s_client -verify_hostname tanelorn.city tanelorn.city:1965
-- Get my PGP key with `gpg --locate-keys tastytea at tastytea.de` or at<https://tastytea.de/tastytea.asc>.