💾 Archived View for rawtext.club › ~sloum › geminilist › 001562.gmi captured on 2020-11-07 at 02:18:39. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
Michael Lazar lazar.michael22 at gmail.com
Thu Jun 11 20:33:37 BST 2020
- - - - - - - - - - - - - - - - - - -
On Thu, Jun 11, 2020 at 1:37 PM solderpunk <solderpunk at sdf.org> wrote:
On Wed, Jun 10, 2020 at 06:58:38PM -0400, Michael Lazar wrote:
Ok I'll walk that back. It's too late to make changes *unless* there's a good
reason to do so. I don't want to break CGI variables on a whim anymore, but if
we all agree on a standard then I will follow suit.
You're not storing these hashes in some kind of database for
Astrobotany? Wouldn't changing how you calcultate the TLS_CLIENT_HASH
variable break a lot of accounts?
I am storing them in the database as base64-encoded strings. But it would notbe hard to convert between the two text formats as long as the fingerprintbytes are the same. What we're discussing here (to my knowledge) is twodifferent text representations of the same SHA256 digest of the public x509certificate DER [0][1]. That's the standard way to do certificatefingerprinting from what I can tell.
Even if we do pick a different hashing algorithm for the CGI variable,astrobotany is implemented as a jetforce "application" where the python code isinvoked directly inside the server's interpreter. So it has full access to theraw client certificate and can generate whichever hash it needs. I think thisis similar to what GLV-1.12556 does with allowing custom LUA "handlers".
[0] https://github.com/michael-lazar/jetforce/blob/ea7d8c6f4cbc3db14f62c01bf12c375abfe98e7e/jetforce/tls.py#L25[1] https://github.com/pyca/cryptography/blob/f5735cf25acd08222368a1db615bbf61d36b8007/src/cryptography/hazmat/backends/openssl/x509.py#L47