💾 Archived View for rawtext.club › ~sloum › geminilist › 002011.gmi captured on 2020-09-24 at 03:26:00. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
Phil Leblanc philanc at gmail.com
Wed Jul 1 23:06:44 BST 2020
- - - - - - - - - - - - - - - - - - -
Hi all,
I am looking for a solution to build a _small_, _statically linked_,minimal gemini client. My focus at the moment is to implement thebasic communication layer (including TLS!): just enough to send arequest to a gemini host and receive a response.
Has anybody already built such a client? any pointer or suggestion?
Where I stand as of now:
--- I discarded OpenSSL. Bad memories of building small staticexecutables a long time ago. Maybe it has improved and I am justprejudiced.
--- LibreSSL: - not TLS v1.3 yet, but definitely alive and moving there. - easily builds static libraries, but no modular build: I mean Ifound no way to build libraries/executable with only a limited set ofcrypto algorithms =
executables are large: The openssl command (similar to theOpenSSL one) is 2.5 MB (built on Linux with Musl libc, fully static,-Os, stripped). They also include the OpenBSD 'nc' command whichsupports TLS connections - 2 MB (for reference I have a small staticnc without TLS support which is 50KB)
--- BearSSL - very nice code. An impressive feat for a one-man project (Thomas Pornin) - not yet at TLS-1.3. The code looks maintained but I don't know ifit is actively developed. I saw no sign of ed25519 cert signing, butmay be wrong here. - code size: the whole libbearssl.a is ~ 860KB, basic client andserver examples are in the 150KB range, which is very nice.
--- WolfSSL - supports TLS-1.3. Is actively maintained by a company targetingembedded systems (but the code is GPL) - I don't know yet how to properly build small code, but with adefault support for only TLS-1.3, and no ed25519 cert support, I couldbuild basic client/server examples at ~ 260 KB.
--- MatrixSSL - supports TLS-1.3 but the code of the last public (GPL) versionhasn't changed in the last 6 months. - I have not yet succeeded in building static working examples witha cross compiler. So I don't have ballpark code size figures.
--- Busybox ssl_client - some TLS support has been added in the recent busybox trees, basedon MatrixSSLcode. As they say, "enough TLS to allow the busybox wgetapplet to retrieve a kernel source" from https://kernel.org/ - I built the ssl_client applet as a standalone static exe: 71 KB - it supports TLS-1.2 with a very limited set of crypto algos. and_no cert validation_. - I tried for fun to retrieve with it the root pages from all thegemini sites listed on Gus / known hosts: On a total of 116 sites, itmanaged toget 98 root pages and 18 TLS errors (I lack detailed error causes, butapparently mostly missing algos, and maybe some unsupported curves for ECDH(E).-- not so bad for such a small "client" - but clearly notenough for real use.
Obviously, a big part of the equation is the evil number ofcombinations of ciphers, hashes and key exchange algos. Any guidelineor best practice document about what ciphers/algos Gemini servers_should_ minimally support would help immensely!
Again, any suggestion on how to build a small, static SSL client ismore than welcome.Thanks in advance,
Phil