💾 Archived View for gem.benscraft.info › mailing-list › messages › 239 captured on 2021-12-05 at 23:47:19. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
- nervuri <nervuri at disroot.org>
@ Thu, 15 Apr 2021 20:51 +0000
Reply to Alex // nytpu <alex at nytpu.com>
────────────────────────────────────────────────────────────────────────────────
On Thu, 2021-04-15, Alex // nytpu wrote:
The problem is that Gemini mandates Server Name Indication (SNI). It lets you
host multiple (sub)domains at one IP address.
Indeed, this might require clarification in the spec. There's no reason
to demand SNI if a raw IP address is used - as almaember points out, RFC
6066 even forbids IP addresses in SNI. If a server has multiple IP
addresses, it can serve different certificates on each of them without
having to use SNI.
Also, there's no reason for Gemini to require paying the DNS tax.
People should be able to host capsules without dealing with DNS.
the HostName field can be 0 characters. TLS 1.3 (and Gemini over TLS
1.2) mandates that the SNI extension /exists/ in the ClientHello, but
the hostname field itself can be empty, indicating to use some
"default" at the operators discresion. If anyone has a gitlab account,
this might be a good thing to open an issue to clarify.
Yes, if TLS 1.3 mandates it, then the answer is to send an empty SNI
field. But does it? Here's what it says at the start of
https://tools.ietf.org/html/rfc8446#section-9.2 :
In the absence of an application profile standard specifying otherwise,
a TLS-compliant application MUST implement the following TLS extensions
What does "application profile standard" mean? Can the Gemini
"application profile standard" say that SNI is not required in this
case? Or would this create problems with TLS libraries?
For what it's worth, the OpenSSL s_client manpage says:
Even though SNI should normally be a DNS name and not an IP
address, if -servername is provided then that name will be
sent, regardless of whether it is a DNS name or not.
No SNI vs empty SNI - we could test to see if servers have a problem
with either.
I'll open the issue on GitLab.
════════════════════════════════════════════════════════════════════════════════
Reply from Tom <tgrom.automail at nuegia.net>