💾 Archived View for rawtext.club › ~sloum › geminilist › 007177.gmi captured on 2021-11-30 at 19:37:34. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Michael Forney mforney at mforney.org
Tue Sep 21 20:12:27 BST 2021
- - - - - - - - - - - - - - - - - - -
On 2021-09-21, Omar Polo <op at omarpolo.com> wrote:
stack at tilde.club writes:
[...]
I am using BearSSL (for its minimalism). I started with the sample
provided, modified for the Gemini request. I keep getting stuck with
error 62 (probably because I don't understand how to deal with TLS).
I attempted to generate the CA boilerplate code, but there are some
ominous hints that the code is HTTPS-specific.
It's just a wild guess, I never touched BearSSL, but smell like a
possible failure in verifying the certificates. In geminispace the
usage of TOFU and self-signed certificates is way more popular than in
the web, and TLS libraries by defaults try to verify the certificate
against the installed CAs. For the record, on libtls is the function is
tls_config_insecure_noverifycert.
I have a lot of experience with BearSSL, and I think this is a goodguess. Error code 62 is BR_ERR_X509_NOT_TRUSTED, which means that theserver is using a certificate that was not accepted by the X.509engine you configured your client to use.
stack, I'm assuming you were just using br_x509_minimal_context, whichis configured with a set of CAs, one of which must be found in thecertificate chain sent by servers. As Omar said, with gemini it iscommon practice to use self-signed certificates, which will need adifferent X.509 engine.
For an example, check out Drew DeVault's gmni client, which usesBearSSL and implements an `x509_tofu_context`:https://git.sr.ht/~sircmpwn/gmni/tree/master/item/src/tofu.c