💾 Archived View for rawtext.club › ~sloum › geminilist › 001485.gmi captured on 2020-11-07 at 02:15:27. Gemini links have been rewritten to link to archived content

-=-=-=-=-=-=-

CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)

Sean Conner sean at conman.org

Wed Jun 10 05:38:31 BST 2020

- - - - - - - - - - - - - - - - - - -

It was thus said that the Great Michael Lazar once stated:

On Tue, Jun 9, 2020 at 10:09 PM Sean Conner <sean at conman.org> wrote:

It was thus said that the Great Michael Lazar once stated:

I have a CGI debug script setup here [2] if anybody wants to poke holes in my

implementation.

[1] https://tools.ietf.org/html/rfc3875#section-3.3

[2] gemini://mozz.us/cgi-bin/debug.cgi

I notice it doesn't set PATH_TRANSLATED

I just didn't see a compelling reason to add it.

I think it may have something to do with Apache's rewrite rules. My blog[1] is run via a CGI script, and I make extensive use of it to hide the factthat I'm using a CGI script [2]. For example, the url:

http://boston.conman.org/about/technical.html

is routed through the following rewrite rule [3]:

RewriteRule ^about/(.*) boston.cgi/about/$1 [L]

to give the final (internal) path of:

/boston.cgi/about/technical.html

I then use PATH_TRANSLATED to find the actual file to display. No Geminiserver supports rewriting rules, but I don't see a reason why one couldn't.

and it always sets TLS_CIPHER and TLS_VERSION.

Why not? These are just as useful even if the client doesn't send a

certificate.

Fair enough.

Some other differences in my server's CGI implementation (I used GLV as a

reference implementation, so there are a lot of similarities too):

TLS_CLIENT_HASH

I'm using a base64-encoded representation of the hash. I like your notation of

SHA256:<HEX> better, but it's too late now and I don't want to break backwards

compatibility.

The format I use is from libtls---it was not my choice.

TLS_CLIENT_SERIAL_NUMBER

The client certificate serial number. I'm surprised that this isn't available

in libtls.

I'm surprised too when I saw TLS_CLIENT_SERIAL_NUMBER for the first time. I may have to make an extention module to do some stuff that libtls can'tdo.

TLS_CLIENT_AUTHORISED

Even though jetforce accepts unverified client certificates now, it will still

check if the certificate is authorised anyway. This means both valid and trusted

by the server's CA store. So this will be set to "1" for trusted and "0" for

untrusted. I like this variable because it gives each CGI script the option to

implement authentication however they want.

That makes sense. That's another thing that libtls makes a bit difficult.

-spc

[1] http://boston.conman.org/

[2] Not for security reasons, but for aesthetic reasons. I could change the name of the CGI script and *none* of the URLs will change.

[3] I'd have to look up what the '[L]' does---it's been *that* long since I've set this up.